Networks Training

You are here: Home / Cisco VPN / Cisco SSL VPN and ASDM Configuration – Port Conflict

Cisco SSL VPN and ASDM Configuration – Port Conflict

Written By

In addition to IPSEc VPN support, Cisco firewalls support also the SSL Web VPN technology for providing access to resources for remote users. The main difference between IPSEc VPN and SSL VPN is that the first one requires a VPN client installed on the user’s computer while the SSL VPN requires only a secure browser (HTTPs). Another difference is that IPSEc VPN provides full network connectivity to the central site for the remote user with the ability for the user to have full access to applications just like local LAN access. On the other hand, SSL VPN provides limited application access compared with IPSEc VPN. The applications that can be accessed by SSL VPN include Internal websites, Web-enabled applications, NT/Active Directory file shares, E-mail proxies, including POP3S, IMAP4S, and SMTPS, MS Outlook Web Access, and port forwarding access to some other TCP-based applications.

EDIT: The above statement about SSL VPN was valid for the older SSL VPN technology which was supported only through a web portal on the ASA. Now, Cisco ASA supports the Anyconnect SSL VPN which is similar with the IPSEC VPN client. With Anyconnect VPN you can have full remote network access to the central site.

The diagram below shows a high level network topology for SSL VPN connectivity:

MORE READING:  Site to Site VPN with Dynamic Crypto Map

cisco ssl vpn on asa firewall

As you can see, the remote users can establish a secure SSL tunnel over the Internet and access application resources located in their central Enterprise LAN using a web browser (HTTPs).

Next we will describe how to enable SSL VPN on the firewall, and discuss how you can avoid a port conflict with ASDM (Web GUI management) when both are enabled on the same firewall interface.

Both SSL VPN and ASDM use the HTTPs protocol for communication which uses port 443 by default. If we need to enable ASDM management access on the same interface as SSL VPN (usually the “outside” interface), then we must change the listening port of either the SSL VPN or the ASDM. In our example below we will describe both scenarios.

A. Change the port of ASDM

ASA(config)# http server enable 444
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on port 444 while SSL VPN uses the default port 443. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address>:444 in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>

MORE READING:  VPN Failover with HSRP High Availability (Crypto Map Redundancy)

B. Change the port of SSL VPN

ASA(config)# http server enable
ASA(config)# http 100.100.100.1 255.255.255.255 outside
ASA(config)# webvpn
ASA(config-webvpn)# port 444
ASA(config-webvpn)# enable outside

For the above scenario, ASDM listens on default port 443 while SSL VPN uses port 444. With this configuration, the remote administrator user on address 100.100.100.1 initiates ASDM sessions by entering https://<Outside-Address> in the browser. Normal SSL VPN users initiate SSL VPN sessions by entering https://<Outside-Address>:444

Related Posts

Filed Under: Cisco VPN

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Daniel Craig says

    Hello, I was looking around for a while searching for cisco lan security wireless and I happened upon this site and your post regarding SL VPN and ASDM Configuration – Port Conflict | CiscoTips, I will definitely this to my cisco lan security wireless bookmarks!

  2. Lance Lakey says

    Harris,

    Regarding:
    http server enable 444

    I discovered today there’s another option which doesn’t require changing http server or webvpn to use port 444

    I saw this in the SSL VPN Wizard on page 2 today. I believe once webvpn is enabled the below automatically becomes true i.e. ASDM is automatically accessible at IP/admin instead of needing IP:443

    webvpn:
    https://

    ASDM:
    https:///admin

  3. BlogAdmin says

    Hello Lance,

    Thanks for bringing this up. I haven’t tried configuring anything from ASDM so I haven’t noticed what you are saying. In my opinion, the safest way to go is to enable different ports for ASDM and SSL VPN. Especially for SSL VPN, it is a good practice to configure it on a non-standard port in order to confuse possible attackers a little bit (although experienced hackers will not have trouble figuring out that this is a VPN port).

  4. Krishnanand says

    Hi Harris,

    Thanks for all your wonderful post and explanations. I have been looking after all your post and find them very helpful.

    Looking for some troubleshooting scenarios with explanation.

    Regards,

    Krish

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx