Cisco ASA for VPN Remote Access

robw53

Member
Join Date
Nov 2009
Location
south yorks
Posts
515
Hi,

Has anybody used one of these devices or similar device to setup a remote connection for either themselves to connect to the plant or for contractors for remote diagnostics etc?

Im after some advice if anybody has had any experience doing this
 
I was hoping you would be the one to reply :)

Yes it's a ASA 5512-X firewall edition. I was just wondering if I needed some form or antivirus/spyware like the CSC module etc or if it isn't nessesary for this application.

I'm going to be using a ISR 887VA and the ASA as firewall and termination of VPN's

P.S I did look into the barracuda devices but not knowing much about them and cisco been well supported in the UK, and like you mentioned previously if using cisco switches use cisco all the way, so that been said I thought I would play it safe.

do you use SSL VPN or is IPSEC better for this type of application? I will be wanting to do a Remote Desktop with Studio 5k on a PC within the plant and also being able to use software on a remote machine that I'm using to VPN into the network

Do I need any servers etc to do this or will the ASA handle all this.

Each peice of equipment is on its own VLAN as you advised previously.
 
Last edited:
Use SSL or AnyConnect I would only use IPsec when I had to app or OS restrictions.

I would add one of these also if your budget allows http://www.techguard.com/products/poliwall-ip-country-blocker/

Or go here https://www.countryipblocks.net/country_selection.php

and make ACL's to handle this but it's a bit of work and it needs to be updated where poliwall handles this and more.

Use cloud AV and services and filter out the nasty items before they hit your network. Use AV and IPS on your LAN as well. Security in layers is best.
 
I sent several emails several weeks ago to techguard asking if they can export these or have any distributors in the UK but i had no response, so i think for the time being i will have to manually setup ACL's and use the site you provided with the IP addresses of country's and maybe get one of these at a later date, as you said "if your budget allows" so im guessing they are not cheap.

i have added the Duo security to my list, as this looks affordable and worth it for the extra security it gives

my setup at present will be as follows.

ISP / ISR-887 / ASA 5512-X / Tofino (FW) / Stratix 8300

can you recommend any good Cloud AV? i have been looking at the PANDA Security Cloud AV

as far as on the LAN what sort of setup would be required to protect the network from a virus etc coming in from a OEM's laptop for instance? maybe we should just force them to use our own laptop if they have to come back to do any commissioning local to the machine.

On a recent rockwell "University on the move" they recommend to use the factory talk security as another layer of security.
 
As afr as cloud AV I was speaking in terms of Cisco Web Security http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11720/aag_c45-716589.pdf

As it works with your firewall and is a integrated solution which works best in this kind of setup IMO.

As far as the LAN without servers just make sure machines have good AV and Malware software. I like Sophos because it has a vey high detection rate and is lite on computer resources.

Having OEM's and Integrators use laptops you issue them is best that way you know what is connecting to your network I would also scan all usb thumb drives before connecting to the network. Flash drives are the best physical way to payload a virus, malware or root kit because of the way flash drives work.

I like FT security and use it corporation wide but I myself would not use it without Active Directory which requires a server 2 if you want to sleep well but with server 2008 for example you can setup NAP Network Acess Protection in the DHCP mode.

From this config

ISP / ISR-887 / ASA 5512-X / Tofino (FW) / Stratix 8300

Do you have a core switch or do you plan to just use the ports on the ASA?

If you plan to have any more networks or expansion (lines)now would be the best time to add a core switch.
 
I omitted the VA in that post but yes its the 887VA model.

OK i have forwarded on a request to our cisco partner to add this to our proposal.

depends on how much we spend then i do have costs in for a server in the budget but i want to make sure i don't skimp on the security before purchasing a server.

during commissioning of the different pieces of equipment its inevitable that they have to use there own laptops due to the sheer quantity of controllers through the plant, but i shall make sure that before anybody comes onsite plugging in they have fully upto date antivirus and have scanned there system before connecting to the network and they should refrain from using any removable media that hasnt been scanned.

as far as switches, the stratix 8300 is sitting with the ASA and ISR etc in the network room, then the fiber goes from the 8300 out to two switches (8000's) one located in each area which then from each 8000 goes out in a star to each machine panel which has a stratix 5700 in each one.

the 8300 would maybe have a few copper connections to it, apart from the connection from the ASA/ISR it may have a few bits of remote I/O for the building services and maybe connection to a flour system located near by. is this a correct method or should it have a 8000 sat next to it for that?
 
If it were me I would have another 8000 for any equipment and have the 8300 for the core switch if that will supply your needs.

It will work either way but I like to keep things very segregated myslef as I find it easier to troublshoot and make changes to without affecting a lot of processes.
 
OK i will get hold of another 8K, what protection do you have in place for computers that are remoting in using SSL VPN from unknowingly allowing a virus/worm from travelling down the tunnel and infecting the network, microsoft have VPN quarantine but is there something else which would work with the type of setup maybe something from Cisco?

how involved is setting up the VPN group policy for users and specific VLAN's they can access, is this a CLI setup or can it be done using a GUI like ADSM?

Regards

Rob
 
You should be able to do most of it in the ADSM but I pretty much do all CLI because it's more natural for me and a bit quicker.

The Cisco web security can inspect for virus and Malware payloads on all traffic traversing the firewall including the VPN traffic.

Also unless you plan to do a lot of site to site VPN connections or have a lot of VPN sessions at one time you may not need the ISR as the ASA can handle the routing for you.

I use a seperate router but it's about 15 times the size of network from what you are planning. You may just want do get a DSL modem and feed directly into you ASA to reduce cost.

I don't allow contractor laptops on the network. They can use our issued laptops or VPN to our RDS servers and use one of our workstation VM's so this keeps a lot of things at bay.

You also want to set your firewall up to do DPI on traffic and not SPI. SPI just don't cut it these days.

You may want a core switch like a catlyst or something with more throuput for you core swich. The Stratix 8000 are meant for more of a distribution switch that a core and are likely to be priced the same.

As far as VPN security you cna sometimes get more security features in a dedicated VPN appliance or virtual appliance that you can a firewall but it depends on the amout of VPN session you plan to hold at the same time worst case.
 
You may want a 24 or 48 port switch as you core as you may want to add things later. Adding more small switches adds more hops for traffic and degrades throughput.

Later you may want additional ethernet ports for UPS's or a IP KVM, Cameras etc. Likely better to go with the larger core switch now Vs a smaller switch.
 
Thanks for coming back to me.

i spoke with a Cisco consultant and he said that for only a couple of computers the cloud AV would be over the top and very expensive based on the amount of users, and that AV on the local machines would be better.

for remote access after commissioning the line if i was to use the ISR and the ASA5500 and have a PC on the inside of the network which they remote in to, with the Studio 5k and View Studio ME on, with its own antivirus software etc on that PC would that give me a good source of protection from any virus coming in from the VPN tunnel, what would be required for that above and beyond the ISR and ASA. A PC, anti-Virus software, AB software, and some software for the remote desktop like logmein etc?


we will have no site to site VPN and maybe 1 or 2 Client to site VPN at any one time.
 

Similar Topics

Hi, I'm setting up comms at a station and I'm working with Cisco IE 3400H switches. I have been able to configure them following the Harware...
Replies
7
Views
554
Hi All I am using Oracle VM Virtualbox on a windows 10 I have my license on my host and link my vm's using a host only connection, everything is...
Replies
0
Views
555
When I log on to my Cisco switch via a browser, following the express setup instructions (after boot up is complete, hold exp. setup, exp light...
Replies
4
Views
1,919
Hello, I have Cisco network switches that I am wanting to monitor in a control logix processor (Cisco WS-C2960X-48FPS-L). I want to monitor...
Replies
18
Views
3,299
We have many CISCO and STRATIX switches in our process network. The Stratix switches have AOPs that enables us to use our Rockwell PLCs to gather...
Replies
8
Views
2,163
Back
Top Bottom