cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
2
Replies

ASA with two WebVPN interfaces

Pavel Pokorny
Level 1
Level 1

Dear all,

 

Please advice, what are possibilities.

 

AsIs situation: ASA with webvpn configured on outside interface. This is pretty standard solution which is working for many years.

 

ToBe situation: add possibility to connect via VPN client on inside interface. But here comes the trick. I would like to have (on this new headend) different tunnel-groups and with this also different ip-pool for clients.

 

Is it even possible (9.8 version)?

 

Kind regards,

 

Pavel

 

2 Replies 2

Hi,
Yes this should be possible. You would need to:-

- Enabled SSL/IKEv2 IPSec on the INSIDE interface.
- Create additional IP Pools
- Create a new Group Policy, reference the new IP Pool within the Group Policy
- Create a new tunnel group, reference the new group policy within the tunnel group.

You should then connect to the new tunnel group and receive an IP address from the new IP Pool. You would probably also need a new NAT exemption rule to ensure traffic from the new IP Pool to the local internal network is not natted.

If you need further assistance please upload your configuration.
HTH

Hi,

 

Thanks for quick reply.

 

One more demand.

Let's say, on current webvpn I have tunnel-group 12345.

I will create new one (for inside) 54321.

 

But, what I need, is:

1) from outside I will see (in client) only 12345

2) from inside I will see (in client) only 54321

 

There will be no possibility to use tunnel-group 54321 from outside and vice versa.

I cannot find any solution, to limit tunnel-groups in that way.

 

Kind regards,

 

Pavel

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: