Today I am
going to talk about the SSL VPN and ASDM-Cisco Adaptive Security Device Manager
and the difference and the configuration part of both scenarios. As provisioning of the IPSec VPN, Cisco firewalls do support SSL VPN technology as well for offering
access to possessions for remote users. The main differentiation among IPSec VPN and SSL VPN is that the one IPSec VPN requires a VPN client connected on the
user’s laptop while the other SSL VPN needs only a secure browser (HTTPs).
Another differentiation is that IPSec VPN delivers
full network connectivity to the Hub site for the local/remote user with the capability
for the user to have full admittance to applications just like local LAN
access. On the other hand, SSL VPN delivers limited application access associated
with IPSec VPN.
The
applications that can be retrieved by SSL VPN comprise Internal websites,
Web-enabled applications, NT/Active Directory file shares, E-mail proxies,
including POP3S, IMAP4S, and SMTPS, MS Outlook Web Access, and port forwarding
access to some other TCP-based applications.
As you can understand,
the remote users can create a protected SSL VPN tunnel over the Internet and access
application assets located in their Hub Enterprise LAN using a web browser
(HTTPs).
Next we
will define how to permit SSL VPN on the firewall, and review how you can evade
a port conflict with ASDM (Web GUI management) when both are permitted on the
same firewall interface.
 |
Fig 1.1- Sample Topology
|
Both SSL VPN and ASDM use the HTTPs protocol for announcement which uses port 443 by
default. If we want to allow ASDM( Cisco Adaptive Security Device Manager) management approach on the similar interface
as SSL VPN (usually the “outside” interface), then we must modify the listening
port of either the SSL VPN or the ASDM. Let’s talk about both scenarios.
Scenario I : Change the port of ASDM
RouteXP_ASA(config)#
http server enable 444
RouteXP_ASA
(config)# http 200.200.200.1 255.255.255.255 outside
RouteXP_ASA
(config)# webvpn
RouteXP_ASA
(config-webvpn)# enable outside
For the overhead
scenario, ASDM heard on port 444 while SSL VPN uses the default port 443.
With this configuration, the remote administrator user on address 200.200.200.1
initiates ASDM sessions by entering:
https://<Outside-Address>:444
in the browser.
Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>
Scenario II : Change the port of SSL VPN
RouteXP_ASA
(config)# http server enable
RouteXP_ASA
(config)# http 200.200.200.1 255.255.255.255 outside
RouteXP_ASA
(config)# webvpn
RouteXP_ASA
(config-webvpn)# port 444
RouteXP_ASA
(config-webvpn)# enable outside
For the
upper scenario, ASDM heard on default port 443 while SSL VPN uses port 444.
With this configuration, the remote administrator user on address 200.200.200.1
starts ASDM sessions by entering:
https://<Outside-Address>
in the browser.
Normal SSL VPN users initiate SSL VPN sessions by entering
https://<Outside-Address>:444