Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2855
Views
5
Helpful
6
Replies

RA VPN on non-interface IP

Go to solution
gcook0001
Level 1
Level 1

‎02-04-2021 09:18 AM

Is it possible to use a different IP from our WAN subnet for RA VPN?  

We currently port-forward 443 to an internal proxy server on the interface IP.  We do this for a couple of reasons.   I realize I can use a different external port for this but thought there would be some benefits to having the VPN on it own external IP.

We currently using Firepower 1140s managed by FMC.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-04-2021 09:24 AM

@gcook0001 

You can only terminate a VPN (RA or L2L) on an IP address assigned to a physical interface (i.e. OUTSIDE) of an FTD or ASA, so in your scenario no.

 

If you don't want to change the existing nat to a spare IP address, then you could change the SSL-VPN port or use IPSec instead on the existing IP address assigned to the outside interface.

 

HTH

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-04-2021 09:20 AM - edited ‎02-04-2021 09:27 AM

Sure you can use free IP address for your VPN bind to interface. (it has own advantages than using external IP configured in shared basis).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
gcook0001
Level 1
Level 1
In response to balaji.bandi

‎02-04-2021 11:14 AM

Is there documentation or something that explains how to do this?   I can't find anything and when I setup the VPN it only allows me to select the interface.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to gcook0001

‎02-04-2021 11:37 AM

There may be a typo in my last message, you need to have the interface configured with IP to get working.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
gcook0001
Level 1
Level 1
In response to balaji.bandi

‎02-04-2021 12:19 PM

So just to be clear.  I have a wan subnet xxx.xxx.xxx.0/28 from my ISP.    xxx.xxx.xxx.1 is the ip assigned to my wan interface.   I can't setup xxx.xxx.xxx.2 for my RA VPN.  

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to gcook0001

‎02-04-2021 12:21 PM - edited ‎02-04-2021 12:22 PM

@gcook0001 

No, not unless you change the physical interface of the device to .2. You can only terminate a VPN on the physical interface.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎02-04-2021 09:24 AM

@gcook0001 

You can only terminate a VPN (RA or L2L) on an IP address assigned to a physical interface (i.e. OUTSIDE) of an FTD or ASA, so in your scenario no.

 

If you don't want to change the existing nat to a spare IP address, then you could change the SSL-VPN port or use IPSec instead on the existing IP address assigned to the outside interface.

 

HTH

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card