ASA5505 Remote Access + VPN Planning (n00b)

[HeavyHand]

Hello All. I am a jR. level IT guy with a little experience with a lot of things. As it is routing and the like are one of the things I haven't touched yet at all. The old dog just up and quit, and as he was the only other IT guy at my place of employment that gets to change. Immediately. I don't have config questions (yet), just making sure I nail down the basics/design on this first. Just trying to make sure I don't end up with my pants down and users that can't get their work done.

On to the situation. I've been tasked with completing the remote access project that the last guy just started before he walked, and what he gave me (bought already) is an, as mentioned, ASA5505 with DMZ license.

All the remote clients use Windows work stations, a few XP, a few vista and we are a month-ish away from getting a batch of 7 units to replace so older machines. so it should be fairly simple to do a L2TP/IPSec VPN.

The setup currently, that is up and running without issue, is as follows.

DSL modem, doing the NAT. I believe this is a Motorola product.

ASA configured with 2 networks enabled:
-outside; attached to the DSL
-inside; attached to my LAN that has ~25 users and lots and lots of confidential records that the FDA wouldn't like anyone else seeing.

Today I configured a win2k3 to be my routing & remote access server, it will also be a terminal server. Also should be mentioned in the event someone knows about a compatibility issue that I don't it is the server that has been running WSUS/IIS and would like to leave that alone if that is possible. Seems reasonable to me to put all the things that would touch the internet on 1 box. On that note I would be putting a DNS forwarder here too.

Now on to my questions.

I would want to put that server on my DMZ? Or I could put it on the subnet between my router and the ASA, as I believe that is acting as an empty DMZ?

Would it be best to try to configure my modem to pass through to my ASA? This would effectively put the ASA up against the cloud and necessitate adding the NAT functionality to this device?

I can't tell if I'm over thinking things or just don't know what the hell I'm talking about. Anyone venture a guess?

thanks for any input.

 

[unclerico]

1) put the dsl modem in bridge mode and move the NAT functionality onto the ASA
2) don't hang a terminal server out there for easy access. the ASA provides IPSec and/or SSL VPN capabilities for a reason. if you use the device to its fullest potential and you will see the greatest benefit
3) if possible use the AnyConnect/WebVPN functionality of the ASA instead of the IPSec features if you can. it's not that IPSec won't get the job done, it's just the the SSL VPN features are more user friendly
4) you won't need RRAS on the 2k3 box unless you were planning on doing the L2TP termination there, which I would not do.
5) the fact that this box is going to be a WSUS box as well as hold other roles, i would keep it on the inside and put something else in the DMZ
6) with only a single firewall, your best bet for a DMZ would be to create a third VLAN on the ASA, give it a security-level of 50 and plug your exposed box(es) into access ports on this new VLAN

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[HeavyHand]

ok.im on board with you.
so if im using the asa in conjunction with a cisco vpn client i wouldn't really need to put/expose any machineon a dmz?

or do i still wasn't to use a dmz with as little as possible out there (dns forwarder?) as another layer of protection?

 

[unclerico]

no you wouldn't really need to expose anything in a DMZ unless it needs external access such as you DNS server

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[HeavyHand]

Can anyone tell me why the VPN client software doesn't ship with the 5505, but does with the rest of the 5500 line?

Quick answer: Money.

That's fine. I just wish they would have made that information available.

Now they want ~$3800 for a service contract to be able to download the software from their sight. It would have cost....$800? to get a 5510 over and above the 5505?

What a load.

 

[unclerico]

sorry man. i'm sure there are some torrents available.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[HeavyHand]

haha. It had occurred to me. =]

I was keeping my mouth shut as I've seen you post a lot in this section and thought you may be in some way affiliated with the company.

That still doesn't make me feel any better about Cisco as a company.

On the whole I am left with a sour taste in my mouth about them today.


Sure I can steal their software, but if they would have just let us know about the limitation we would have gladly purchased what was needed from the onset.

On top of that I just got done with an online tech/chat session with one of their people and they gave me the contact info of my "closest" Cisco partner. It's a place 40 miles away on the other side of Chicago. Their address is listed as right down the street from me on Cisco's site, but just googling the company brings up their real address. Come on - get it together.

Yes, I know, it doesn't really matter. All I need is a download. I'm just disappointed in the support from the company I guess.

And, I really felt like I was being talked down to at first also.

<chata>
Charles: Thank you for patiently waiting, as I have checked since you already have the licensing on the device itself for number of VPN users, you just have to have the Cisco partner configure it.
Charles: By the way do you have a Cisco partner?
Kyle: why can't i configure it myself?
Kyle: and no, i don't
Charles: Or the other is if you have the service contract, you can have the technical support department assist you on this.
</chat>

Issues of that nature frustrate me more than the speed bumps associated with learning a new technology, ya know?

I just want to be told upfront, in a straight forward manner what it is my choices are when buying, and when I need the support of the company, do it right. I guess that is too much to ask of some people.

 

[HeavyHand]

...but i guess i should quit wasting breath about it and get back to work making computers not explode, eh?

 

[unclerico]

nope, not affiliated with the company. i am certified with their gear, but i love juniper gear a lot more

also, i don't think you're stealing their software because you've already paid for the Sec+ product. ridiculous if you ask me.

good luck

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[HeavyHand]

you are probably the 4th person this week who i know is more informed on this topic than me that has given the thumbs up to juniper.

Maybe I've just been driving a truck too long but why don't I hear more about them?

 

[unclerico]

they don't advertise like Cisco does. if you look at the magic quadrant for any type of data center or service provider level gear, they are at or near the top. don't get me wrong, cisco is good stuff, but sometimes they just try to be everything to everybody and it gets a little old.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[HeavyHand]

Ok, seems i need a bit of help with the actual configuration on the box.

What I now have going on is what was recommended above.

-modem in bridge mode.
-ASA receiving outside IP from the ISP, and doing the NAT.

as a result everything/everyone inside has internet access.

-DMZ subnet disabled.
-SSL & IPSec rules configured in the ASA



To test this connection I have a win vista and a win7 laptop with a sprint broadband card for outside access, if it should matter.

The Cisco VPN client 4.8 doesn't get along with these OS.
Anyconnect 2.4 installs and runs fine.
And I am able to access the webVPN portal.

I have a local test user setup in the ASA. When monitoring the real time log, as I try to log in with that user the ASA accepts the credentials, starts the connection then immediately drops it. Log of this activity is below.

I'm sure this is obvious to those familiar, but here it is anyway:
184.x.6.x = client IP
99.x.70.x = ASA outside IP

6|Jan 18 2011|10:57:50|725007|184.x.6.x||SSL session with client The.Cloud:184.x.6.x/50309 terminated.
6|Jan 18 2011|10:57:49|302014|184.x.6.x|99.x.70.x|Teardown TCP connection 1397779 for The.Cloud:184.x.6.x/50309 to NP Identity Ifc:99.x.70.x/443 duration 0:00:01 bytes 6144 TCP Reset-O
6|Jan 18 2011|10:57:48|113008|||AAA transaction status ACCEPT : user = test
6|Jan 18 2011|10:57:48|113009|||AAA retrieved default group policy (DfltGrpPolicy) for user = test
6|Jan 18 2011|10:57:48|113011|||AAA retrieved user specific group policy (MicroWorks.Remote.Users) for user = test
6|Jan 18 2011|10:57:48|113003|||AAA group policy for user test is being set to MicroWorks.Remote.Users
6|Jan 18 2011|10:57:48|113012|||AAA user authentication Successful : local database : user = test
6|Jan 18 2011|10:57:48|725002|184.x.6.x||Device completed SSL handshake with client The.Cloud:184.x.6.x/50309
6|Jan 18 2011|10:57:48|725001|184.x.6.x||Starting SSL handshake with client The.Cloud:184.x.6.x/50309 for TLSv1 session.
6|Jan 18 2011|10:57:48|302013|184.x.6.x|99.x.70.x|Built inbound TCP connection 1397779 for The.Cloud:184.x.6.x/50309 (184.x.6.x/50309) to NP Identity Ifc:99.x.70.x/443 (99.x.70.x/443)
6|Jan 18 2011|10:57:48|725001|184.x.6.x||Starting SSL handshake with client The.Cloud:184.x.6.x/50308 for TLSv1 session.
6|Jan 18 2011|10:57:48|302013|184.x.6.x|99.x.70.x|Built inbound TCP connection 1397778 for The.Cloud:184.x.6.x/50308 (184.x.6.x/50308) to NP Identity Ifc:99.x.70.x/443 (99.x.70.x/443)


I realize reset-O, is that the connection was reset from the outside. Does that mean the response to the client is timing out or am I way off the mark?

Gotta say I'm stumped on this one...

Any suggestions out there?