VNC over SSL-VPN tunnel

vncvpn

I've setup a SSL-VPN using Cisco ASA with AnyConnect client.
The ASA is behind a IPS/Router. A handful of Linux machines have VNC setup behind the ASA.

I want to allow VNC over SSL-VPN connection (since VNC is unsecured in pure form) in remote access settings. It's a strict settings to block all ports except the necessary ones.

I'm trying to implement enough ACLs to block all unsecured connections.

Would my IPS/Router have to block regular VNC port since VNC is tunneled under SSL, but then would my ASA or any other device need to open up a port for VNC once the client is inside the local network?
Is my IPS/Router going to dissect the packet and block it if it has VNC in it? (if IPS/Router blocks VNC, but NOT SSL).

Thank you.

Best Answer

You would only need to allow SSL (port 443).

Because your VNC traffic is going to get piggybacked by SSL.

From the IPS/Router's stance, VNC traffic is going to look like SSL.

Related Solutions

Cisco AnyConnect on IOS 12.4(20)T

I have a TAC case open to see if any good documentation exists for this, but I did get a basic installation up and running using SDM 2.5. Unfortunately SDM will NOT recognize that Anyconnect is installed even though it is. You will need to install the Anyconnect packages manually and then setup the rest in SDM.

First...install Anyconnect packages. I use the Window and Mac packages. TFTP them onto the router and install them using: (from conf t)

webvpn install svc flash:/windows_package_name.pkg sequence 1

webvpn install svc flash:/mac_package_name.pkg sequence 2

It will install and your config will have lines like this:

webvpn install svc flash:/webvpn/svc_1.pkg sequence 1

webvpn install svc flash:/webvpn/svc_2.pkg sequence 2

Now you can go into SDM and run the wizard....

Hope this helps!

-Andy

Updating: I got a reply on my TAC case....here are the URLs Cisco sent me:

Here is the IOS SSL VPN Data Sheet that explains what features are available

www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/product_data_sheet0900aecd80405e25.html

Here is the IOS SSL VPN CLI Configuration Guide:

www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ssl_vpn.html

Here are several IOS SSL VPN Configuration Examples & TechNotes:

www.cisco.com/en/US/products/ps6657/prod_configuration_examples_list.html

Cisco ASA 5505 – L2TP over IPsec

Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)

Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.

EDIT

That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.

if you were following the instructions there, you probably applied the crypto map like this:

crypto map outside_map interface outside

if you are testing on the same lan you would need to do this:

crypto map outside_map interface inside

Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.

If that doesn't work, would you be willing put post your running config?

EDIT 2:

Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.

Best Answer

Related Solutions

Cisco AnyConnect on IOS 12.4(20)T

Cisco ASA 5505 – L2TP over IPsec

Related Topic