Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2777
Views
0
Helpful
3
Replies

Cisco AnyConnect and Citrix Netscaler Gateway Co-Exist on One Public IP?

Go to solution
miketranosky
Level 1
Level 1

‎02-12-2016 06:14 AM - edited ‎03-12-2019 12:17 AM

Hello everyone,

I have what will hopefully be an easy question for the experts here on the forums.  

What I am looking to do is have a Cisco AnyConnect VPN co-exist with a Citrix Netscaler Gateway on a single Public IP.   In other words, I would like to be able to connect to my AnyConnect VPN based on vpn.domain.com (DNS points vpn.domain.com to my public IP currently), but would also like to connect to my Citrix Netscaler Gateway by URL citrix.domain.com.  

Currently, only the AnyConnect VPN is setup and accessible on the Public IP. 

So from a Topology perspective:

Internet -> Modem -> Cisco ASA 5505 -> inside subnet 10.10.10.0/24 -> NSG is 10.10.10.5 

My Netscaler Gateway exists on the Inside subnet/segment, but I would like to make it public-facing.

 

Normally I would imagine I could just configure NAT to take any requests to the public IP inside to the Netscaler Gateway IP, but I'm not sure how/if this will work with an existing AnyConnect VPN connection and DNS record already pointing to my public IP.   

I'm thinking something like if a request is made to the DNS name of my Netscaler Gateway, the ASA can make a decision based on the address requested (i.e. NAT only if citrix.domain.com is the requested URL,) but I'm not even sure if that is possible or how it could be accomplished.

Hoping that someone has done this or could point me in the right direction.

Thanks everyone! 

Mike T. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-12-2016 12:27 PM

You can host multiple services on the same public IP address - you will need to configure one of them to use a different tcp port.

You can easily reconfigure AnyConnect to use something other than the standard SSL/TLS port (tcp/443).

That way your CAG can use the default port (tcp/443).

You'll just need to create a static NAT and access-list rule for the CAG.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-12-2016 12:27 PM

You can host multiple services on the same public IP address - you will need to configure one of them to use a different tcp port.

You can easily reconfigure AnyConnect to use something other than the standard SSL/TLS port (tcp/443).

That way your CAG can use the default port (tcp/443).

You'll just need to create a static NAT and access-list rule for the CAG.

0 Helpful

Go to solution
miketranosky
Level 1
Level 1
In response to Marvin Rhoads

‎02-12-2016 01:18 PM

Marvin,

Thank you for the response.  I hadn't thought of putting the AnyConnect on a different port.  That's a great idea along with the static NAT and access-list for the CAG.

I'll move the anyConnect to another port and then leave the Access Gateway on 443. 

Thanks for your help,

Mike T.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to miketranosky

‎02-12-2016 01:56 PM

You're welcome.

Pete Long has a great article walking you through making the change for AnyConnect. It can be found here:

http://www.petenetlive.com/KB/Article/0000422

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card