Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Security Policies ASA 5505

Security Policies ASA 5505 7 years 10 months ago #28995

  • timparker
  • timparker's Avatar
  • Offline
  • Distinguished Member
  • Posts: 96
  • Karma: 0
Can someone help me get my head around writing policies for this? I have 3 interfaces set up on mine (DMZ, INSIDE, OUTSIDE).

For example I want to set up a rule to allow me as a VPN user (I can get connected, but thats it so far) to use Remote Desktop to my workstation in our office.

I have the laptop set up to get IP 192.168.5.10 when it connects. the workstation is 192.168.16.35. I know that remote Desktop is Port 3389.

Do I create a rule in the outside or inside section? I am somewhat new at this and am getting a bit confused on the fact that it comes in on the OUTSIDE interface so I think I should set it up there, but my workstation is on the INSIDE so I figure I have to do some NAT magic or something.....

TIA for any help you can give me.

Tim
The administrator has disabled public write access.

Re: Security Policies ASA 5505 7 years 10 months ago #28997

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
What type of VPN are you using? Are you VPNing into the ASA?

Normally, without a VPN you need:
1) An ACL/Policy applied to the OUTSIDE allowing access from the outside to the inside server with a port of 3389.

2) You will need a magical static NAT translation between your external IP address and the internal server you want to connect to.

However, if you connect via VPN and are on the same VLAN and INSIDE interface, I don't think you need any of that Jazz because you are connected via VPN...
The administrator has disabled public write access.

Re: Security Policies ASA 5505 7 years 10 months ago #28999

  • timparker
  • timparker's Avatar
  • Offline
  • Distinguished Member
  • Posts: 96
  • Karma: 0
What type of VPN are you using? Are you VPNing into the ASA?

Its a remote access VPN to the ASA, I will eventually have our 10-15 remote users set up to use this once I have all the kinks worked out.
Normally, without a VPN you need:
1) An ACL/Policy applied to the OUTSIDE allowing access from the outside to the inside server with a port of 3389.

2) You will need a magical static NAT translation between your external IP address and the internal server you want to connect to.

It was recommended through a newsgroup that I set up a different subnet for my VPN users. So I created a Pool and assigned it to the tunnel. So now I have VPN users that will be connecting as 192.168.5.x and the LAN (INSIDE) is 192.168.16.x Doesn't this add complexity, as I now think I need to change the .5.x to a .16.x to get it to work on the internal LAN or am I missing the mark?!?
The administrator has disabled public write access.

Re: Security Policies ASA 5505 7 years 10 months ago #29005

  • skepticals
  • skepticals's Avatar
  • Offline
  • Expert Member
  • Posts: 783
  • Karma: 0
timparker,

Honestly, I am not the best person to talk to because I do not have a great deal of experience with remote access VPNs; however, I believe you still need a static NAT translation from your remote VLAN to your internal VLAN. You will also need an ACL/policy allowing the 3389 traffic from the remote VLAN to the internal VLAN.

You *could* change the .5.c to .16x, but it is more secure to leave them in different VLANs.

What is your overall goal? A user connects to the VPN then needs to remote desktop to another PC?
The administrator has disabled public write access.

Re: Security Policies ASA 5505 7 years 10 months ago #29006

  • timparker
  • timparker's Avatar
  • Offline
  • Distinguished Member
  • Posts: 96
  • Karma: 0
that is just one thing that some will need (admin mainly). For the most part it will be opening some network shares to edit, use files, hit a couple internal web sites (custom applications).
The administrator has disabled public write access.

Re: Security Policies ASA 5505 7 years 10 months ago #29010

  • timparker
  • timparker's Avatar
  • Offline
  • Distinguished Member
  • Posts: 96
  • Karma: 0
Thanks for the help! I was able tonight to get it working and connect through the VPN! I did change the VPN clients to 192.168.5.x.

I do now have some other questions which I did post to comp.dcom.sys.cisco on VPN clients and best practices/how-to.

If anyone is an expert with this or at least has some experience. Please speak up. I do have some more questions for when I start testing with more than one user.

I am now off to figure out my specific rules and NAT that is needed.
The administrator has disabled public write access.
Time to create page: 0.079 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup