cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1246
Views
5
Helpful
5
Replies

Help please. How to configurate AnyConnect VPN for employees in this scenario??

pozoteleco
Level 1
Level 1

Hi everybody;

 

We want to configure Cisco's anyconnect service to offer around 50 VPN employees to connect to our offices. The problem with what you can see in the topology is that employees must point to one of our Public IP's to link to our datacenter. The question is, if the ASA is below in the topology that I show you, how to configure properly so that users can connect correctly via VPN?

 

 

 

 

5 Replies 5

Not a perfect setup for the ASA ... I would set it up AnyConnect VPN the following way:

  1. Configure both routers to 1:1 NAT one free IP to the ASA. If you don't have free Ups, forward TCP/UDP 443 to the ASA.
  2. Add these IPs as vpn1.example.com and vpn2.example.com into your public DNS.
  3. Configure the ASA for WebVPN
  4. Tell your users to use the DNS-entry that points to your primary ISP and to use the other if the connection does not get established (when you change the outgoing ISP)

Thank you, to be clear, for router 1 is this enough configuration to implement this?:


Router 1:


interface GigabitEthernet0/0

description Outside interface

ip address 2.2.2.2 255.255.255.248

ip nat outside


interface GigabitEthernet0/1

description Inside interface

ip address 192.168.23.2 255.255.255.248

ip nat inside


ip nat inside source static esp 192.168.23.10 interface gigabitEthernet 0/0

ip route 0.0.0.0 0.0.0.0 2.2.2.3

ip nat inside source list 1 interface GigabitEthernet0/0 overload

You configuration implies that you don't have a dedicated IP for this? Then the forwarding depends on the ASA config:

  1. UDP/500, UDP/4500, TCP/443 for AnyConnect with IPSec. You never need ESP when NAT is involved.
  2. TCP/443, UDP/443 for AnyConnect with TLS

Hi,

 

i don't dedicated Public IP Address, it's the same for the internet traffic of my company.

 

Kind regards.

Not perfect but it will work. Just do a NAT/PAT for the ports as mentioned.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: