Home / Cisco Security / SSL-VPN and ASDM-Cisco Adaptive Security Device Manager Conflict

SSL-VPN and ASDM-Cisco Adaptive Security Device Manager Conflict

Today I am going to talk about the SSL VPN and ASDM-Cisco Adaptive Security Device Manager

and the difference and the configuration part of both scenarios. As provisioning of the IPSec VPN, Cisco firewalls do support SSL VPN technology as well for offering access to possessions for remote users. The main differentiation among IPSec VPN and SSL VPN is that the one IPSec VPN requires a VPN client connected on the user’s laptop while the other SSL VPN needs only a secure browser (HTTPs).

Another differentiation is that IPSec VPN delivers full network connectivity to the Hub site for the local/remote user with the capability for the user to have full admittance to applications just like local LAN access. On the other hand, SSL VPN delivers limited application access associated with IPSec VPN.

The applications that can be retrieved by SSL VPN comprise Internal websites, Web-enabled applications, NT/Active Directory file shares, E-mail proxies, including POP3S, IMAP4S, and SMTPS, MS Outlook Web Access, and port forwarding access to some other TCP-based applications.

As you can understand, the remote users can create a protected SSL VPN tunnel over the Internet and access application assets located in their Hub Enterprise LAN using a web browser (HTTPs).

Next we will define how to permit SSL VPN on the firewall, and review how you can evade a port conflict with ASDM (Web GUI management) when both are permitted on the same firewall interface.

Fig 1.1- Sample Topology
Both SSL VPN and ASDM use the HTTPs protocol for announcement which uses port 443 by default. If we want to allow ASDM( Cisco Adaptive Security Device Manager) management approach on the similar interface as SSL VPN (usually the “outside” interface), then we must modify the listening port of either the SSL VPN or the ASDM. Let’s talk about both scenarios.

Scenario I : Change the port of ASDM
RouteXP_ASA(config)# http server enable 444
RouteXP_ASA (config)# http 200.200.200.1 255.255.255.255 outside
RouteXP_ASA (config)# webvpn
RouteXP_ASA (config-webvpn)# enable outside

For the overhead scenario, ASDM heard on port 444 while SSL VPN uses the default port 443. With this configuration, the remote administrator user on address 200.200.200.1 initiates ASDM sessions by entering:

https://<Outside-Address>:444 in the browser.
Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>

Scenario II : Change the port of SSL VPN
RouteXP_ASA (config)# http server enable
RouteXP_ASA (config)# http 200.200.200.1 255.255.255.255 outside
RouteXP_ASA (config)# webvpn
RouteXP_ASA (config-webvpn)# port 444
RouteXP_ASA (config-webvpn)# enable outside

For the upper scenario, ASDM heard on default port 443 while SSL VPN uses port 444. With this configuration, the remote administrator user on address 200.200.200.1 starts ASDM sessions by entering:

https://<Outside-Address> in the browser.
Normal SSL VPN users initiate SSL VPN sessions by entering
https://<Outside-Address>:444