We currently have a new ASAv in AWS with an ouside interface and 1 AWS elastic IP assigned. In another DC which is closing, we have a public /24 advertised, which is registered to our company.

The public IP's is currently used for Anyconnect, S2S VPNs and DMVPN.

Becuase of a very shoddy piece of programming, our main application can only be managed over Anyconnect using a whitlisted IP in our public range. We do hairpinning on AC to allow developers access.

We are in the process of doing BYOIP to be able to advertise the /24 out of AWS instead and change the AWS elastic IP on our FW to use our public one. The main issue wth this is we dont know how long the down time will actually be going from our current DC to AWS and once the current DC stop advertising it, we will lose complete access to the old DC.

I know you can have multiple IPs / elastic IPs on the Outside interface of the ASAv, but I want to be sure you can do the same things on both.

So if I can do this then I can bring over all our other Anyconnect profiles & S2S VPNs in a controlled fashsion on the AWS elastic IP, just leaving the one AC profile required for the developers on the old DC until we are ready to move.

Then create a 2nd IP on the Outside interface with our same public IP as we have now. But I also need to be able to NAT this connection only through this interface for the hairpinning and have hairpinning still working on the existing interface.

Has anyone every tried this or know if it will work.

I suppose the other option is to set up a smaller ASAv for the developers to use