cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


218
Views
5
Helpful
5
Replies
Highlighted
Beginner

Help please. How to configurate AnyConnect VPN for employees in this scenario??

Hi everybody;

 

We want to configure Cisco's anyconnect service to offer around 50 VPN employees to connect to our offices. The problem with what you can see in the topology is that employees must point to one of our Public IP's to link to our datacenter. The question is, if the ASA is below in the topology that I show you, how to configure properly so that users can connect correctly via VPN?

 

 

 

 

5 REPLIES 5
VIP Mentor

Re: Help please. How to configurate AnyConnect VPN for employees in this scenario??

Not a perfect setup for the ASA ... I would set it up AnyConnect VPN the following way:

  1. Configure both routers to 1:1 NAT one free IP to the ASA. If you don't have free Ups, forward TCP/UDP 443 to the ASA.
  2. Add these IPs as vpn1.example.com and vpn2.example.com into your public DNS.
  3. Configure the ASA for WebVPN
  4. Tell your users to use the DNS-entry that points to your primary ISP and to use the other if the connection does not get established (when you change the outgoing ISP)
Beginner

Re: Help please. How to configurate AnyConnect VPN for employees in this scenario??

Thank you, to be clear, for router 1 is this enough configuration to implement this?:


Router 1:


interface GigabitEthernet0/0

description Outside interface

ip address 2.2.2.2 255.255.255.248

ip nat outside


interface GigabitEthernet0/1

description Inside interface

ip address 192.168.23.2 255.255.255.248

ip nat inside


ip nat inside source static esp 192.168.23.10 interface gigabitEthernet 0/0

ip route 0.0.0.0 0.0.0.0 2.2.2.3

ip nat inside source list 1 interface GigabitEthernet0/0 overload

VIP Mentor

Re: Help please. How to configurate AnyConnect VPN for employees in this scenario??

You configuration implies that you don't have a dedicated IP for this? Then the forwarding depends on the ASA config:

  1. UDP/500, UDP/4500, TCP/443 for AnyConnect with IPSec. You never need ESP when NAT is involved.
  2. TCP/443, UDP/443 for AnyConnect with TLS
Beginner

Re: Help please. How to configurate AnyConnect VPN for employees in this scenario??

Hi,

 

i don't dedicated Public IP Address, it's the same for the internet traffic of my company.

 

Kind regards.

VIP Mentor

Re: Help please. How to configurate AnyConnect VPN for employees in this scenario??

Not perfect but it will work. Just do a NAT/PAT for the ports as mentioned.