Cisco ASA Firewall – Web Administration and Web VPN

Cisco ASA Firewalls (ASA 5500 series) offer several ways for remote administration and management of the devices such as SSH access, Telnet access, and Web HTTP access. The last one (HTTP access) makes use of the ASDM (Adaptive Security Device Manager) which is a powerful graphical application for administration and management of the firewall device. The ASDM application file is stored on the firewall’s flash and is accessed by a browser using HTTPs.

To gain access to the graphical ASDM Web management tool you need to enable the HTTPs server on the firewall, and allow HTTPs connections.

Enabling HTTPs Access

  1. Generate cryptographic keys for HTTPs
  2. Enable the web server on the firewall
  3. Specify which management PCs are allowed to access the device

Example:
ASA(config)# crypto key generate rsa modulus 1024
ASA(config)# write mem
ASA(config)# http server enable
ASA(config)# http 192.168.1.2 255.255.255.255 inside
ASA(config)# http 192.168.1.5 255.255.255.255 inside

The example above enables HTTPs access and allows access only from two IP addresses (192.168.1.2 and 192.168.1.5) from the inside interface of the firewall.

Now, in order to access the Graphical ASDM web interface from a PC (e.g from PC with address 192.168.1.2), just open a web browser and enter the URL https://<inside firewall IP address>

Web VPN

Web VPN (or SSL VPN, or clientless VPN) is a new type of remote VPN access using a browser with HTTPs protocol. A remote teleworker for example can access internal corporate services and resources by usingĀ  his/her secure browser. The teleworker just points the browser to the external public IP address of the corporate ASA firewall which authenticates the user and gives him secure access to the internal network.

However, if you use both ASDM and Web VPN on the same firewall interface, there is going to be a conflict since both of these services use the default HTTPs port (443). To avoid this conflict we can change the default listening port of the Web VPN service to something different than 443. Lets see an example:

Example:

ASA(config)# http server enable
ASA(config)# http 100.100.1.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# port 444
ASA(config-webvpn)# enable outside

On the example above, we enabled HTTP access for management (ASDM) on the outside interface, and also we have enabled webvpn access again on the outside using a different port (444). This way we avoid conflict of the two services (ASDM access listens on the default port 443 and webvpn listens on port 444).

In this case, in order for a remote teleworker to access the firewall on the outside he needs to point his browser to https://<external IP of Firewall>:444

Configuring Cisco Firewall Security Contexts

Starting with Cisco Firewall version 7.x and upwards, the PIX and ASA Cisco firewalls can support now multiple contexts (or virtual firewalls) on the same physical chassis unit. Each security context runs independently with its own set of security policies, access rules, logging configuration, and so on. Out of the box, any cisco firewall appliance comes with a license of 2 security contexts. In this post, I will show you how to configure these two security contexts on a cisco PIX or ASA firewall that supports this feature: Continue reading “Configuring Cisco Firewall Security Contexts”