Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2766
Views
5
Helpful
12
Replies

Can Cisco ASA or IOS router be a clinet of SSL VPN ?

Go to solution
luckhorse
Level 1
Level 1

‎07-24-2012 03:49 AM

I would like to know if Cisco ASA or IOS router can be a client of SSL VPN ? Thanks.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Javier Portuguez
Level 9
Level 9
In response to luckhorse

‎07-25-2012 10:26 AM

I am glad to hear that.

Indeed the ASA5505 and Cisco Routers can be EzVPN clients.

Please mark this question as answered if you do not have any further questions.

Let me know.

Rate any post you find helpful.      

View solution in original post

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to nkarthikeyan

‎07-26-2012 05:48 AM

Hi Karthik,

I give you five stars

Have a good one!

View solution in original post

0 Helpful
12 Replies 12

Go to solution
nkarthikeyan
Level 7
Level 7

‎07-24-2012 06:39 AM

Hi Hui,

Yes. Of course in cleint end all you need to allow only the specific ports for connecting with the VPN server. In case of SSL you need to allow the specific ports like 443 in the client end firewall or router specific to the VPN peer. That will work.

Please do rate if the given information helps.

By

Karthik

0 Helpful

Go to solution
luckhorse
Level 1
Level 1

‎07-24-2012 11:16 AM

Thanks Karthik,

Your answer is real encourage me.

For my understanding, to be a client of ssl vpn, it has to initiate the ssl vpn session and points to the ssl vpn server. Could you please let me know how to input these commands into ASA ?

Best Regards,

Hui

0 Helpful

Go to solution
Jose L. Berlanga V.
Level 1
Level 1
In response to luckhorse

‎07-24-2012 01:17 PM

You can use the ASDM and there is a wizard for all kind of VPNs.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

Saludos,
Jose Luis B.
No te olvides de calificar si te sirvio la ayuda.

Please do rate if the given information helps.

Saludos, Jose Luis B. No te olvides de calificar si te sirvio la ayuda. Please do rate if the given information helps.
0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to luckhorse

‎07-24-2012 11:43 PM

Hi Hui,

Yes. You can just allow port 443 (https) in your ASA/Router towards the SSL VPN server. That will make that to work.

Just an simple acl like the below

access-list insidetooutside extended permit tcp host eq 443.

Please do rate if the given information helps.

By

Karthik

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to nkarthikeyan

‎07-24-2012 11:54 PM

Hui,

Are you asking of you can setup a site-to-site tunnel using ssl? I dont think you can since you can't set the ios device as an ssl client. I think there may be some confusion because your questions seems to be asking if the router and the ASA can have a client to server ssl vpn relationship. If that is your question then know, for site-to-site tunnels ssl is not a method you can use or atleast I havent heard of one.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
luckhorse
Level 1
Level 1
In response to Tarik Admani

‎07-25-2012 05:57 AM

Thanks Tarik,

That's my question. I'd like to know if the ASA can be the client of SSL VPN to terminate the SSL VPN and decrypt the traffic and then the ASA can route it again. The same function as site-to-site VPN. But for SSL I would have to call it client-to-server SSL VPN (it only can initiate the session from client). Even for IOS router, I could not find any model support this function -- be a client fo SSL VPN.

0 Helpful

Go to solution
luckhorse
Level 1
Level 1
In response to nkarthikeyan

‎07-25-2012 06:04 AM

Hi Karthik,

Thanks for your reply.

It's good to allow the SSL traffic come in from tcp 443, but the SSL VPN server could not initiate the SSL session. I think as a client of SSL VPN, the ASA needs to be configured with commands which point to the server.

Hui

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9

‎07-25-2012 10:07 AM

Dear Hui,

I am sorry but I am afraid to disagree with the previous posts.

Neither the Router or the ASA can act as SSL clients, they can be servers for SSL connections such as AnyConnect and WebVPN, but not clients.

Am I getting your question wrong?

Let me know.

Thanks.

Please rate if you find it helpful.

0 Helpful

Go to solution
luckhorse
Level 1
Level 1
In response to Javier Portuguez

‎07-25-2012 10:21 AM

Hi Javier,

Thanks for your timely reply. Your answered my question with"Neither the Router or the ASA can act as SSL clients".

If ASA or IOS router can act as SSL client, that would be helpful, Like IPSec EZVPN, routers can play the role of client.

Hui

0 Helpful

Go to solution
Javier Portuguez
Level 9
Level 9
In response to luckhorse

‎07-25-2012 10:26 AM

I am glad to hear that.

Indeed the ASA5505 and Cisco Routers can be EzVPN clients.

Please mark this question as answered if you do not have any further questions.

Let me know.

Rate any post you find helpful.      

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to luckhorse

‎07-25-2012 10:30 PM

Hi Hui,

Kindly Regret. If my earlier posts were wrong. I totally misunderstood your query.

By

Karthik

Go to solution
Javier Portuguez
Level 9
Level 9
In response to nkarthikeyan

‎07-26-2012 05:48 AM

Hi Karthik,

I give you five stars

Have a good one!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents