0

We have an asa5505 and I am trying to create an IPsec VPN connection so that our users are able to connect to network when they are out of the office.

They will be connecting with the vpn connection software included in windows 7.

Would you guys suggest having them connect to the asa5505 via vpn (thus gaining network access) or if i should create a NAT rule to forward all traffic to a VPN server (server 2008 R2) and have it handle it?

Trying to make sure i'm taking the correct route with the VPN connection to the ASA.

Thanks!

Lbaker101
  • 309
  • 2
  • 8
  • 18

2 Answers2

2

Avoid NAT'ing IPsec wherever possible. IPsec is not NAT friendly, and only works because of workarounds and hacks that have been developed.

See this post for a list of the workarounds.

If you have green field, forgo the IPsec remote access VPN for Cisco's AnyConnect VPN client -- based on SSL/TLS.

The ASA5505 comes with 2x AnyConnect Premium licenses but can be upgraded to an AnyConnect Essentials license for less than $100 that will give you the 5505 platform VPN maximum of 25 AnyConnect Essentials remote clients.

AnyConnect's SSL/TLS is much more firewall friendly, will work reliably from coffee shops, airports, and other heavily NAT'd hotspots. The AnyConnect client is IMHO simpler, cleaner, and easier to use by end users.

However, if you must stick to IPsec, my vote is to keep the ASA as the endpoint.

Community
  • 1
Weaver
  • 1,952
  • 12
  • 13
  • I second using the AnyConnect SSL solution. If you have users who travel on a regulare basis it won't be long before they are in a hotel that only allows 80 and 443 out. – Leroy Clark Sep 09 '11 at 21:07
  • The company does not have an active account with cisco so I am unable to download the anyconnect software.. This is why I have been trying to use windows. It does make sense that they would block you from being able to connect directly to them though. – Lbaker101 Sep 09 '11 at 22:40
  • Is the ASA behind NAT? If not, then definitely use the ASA as the target for your IPSEC clients. – dunxd Sep 13 '11 at 10:01
1

As far as I know the ASA doesn't support connections from the native Windows VPN software. It requires the installation of the Cisco VPN software on the users desktop. If you want your users to use the native Windows VPN software I would recommend using a Windows server as the VPN endpoint.

mrdenny
  • 27,174
  • 4
  • 41
  • 69
  • It really depends on the type of VPN and what version of Windows. If you are running IPSec there are options to use that with Windows 7. PPTP and SSL-VPN's are also supported under Windows. PPTP is the default VPN with Windows 7 – Squidly Sep 09 '11 at 22:54