Anyconnect on other interface

peterzork · ‎12-07-2012

Hello,

I have a strange issue when enabling SSL vpn on a second interface on ASA 5510.

The ASA gots a /30 connected on outside interface to the Internet but i can't use that ip on port 443 because another service is connected to it.

We got another subnet which is routed to the outside interface ip. This /28 subnet got its own interface on the ASA like a dmz.

Now i want to use also this extra subnet interface for SSL vpn, so i enabled it but it seems some acl is not allowing me.

I always got a deny to the DMZ interface ip , no matter what kind of permit rules i create on all acl's.

some drawing :

-----Internet------ASA IP/30 ( Outside IF )------------LAN ( Inside IF )-----

|

DMZ IF /28 ( SSL enabled on this IF )

|

Does any one know if this suppose to work ?

Kind Regards,

Peter

Karsten Iwen · ‎12-07-2012

That won't work the way you want:

1) The ASA can only be accessed on the nearest interface. So if the user is on the internet, the outside-ip has to be used.
2) Interface-ACLs never control traffic that is for the ASA itself.

How to solve that:

Solution 1)
Remove the DMZ and use the new addresses for NAT. The service that uses the port TCP/443 will be changed to one if the new IPs and the ASA-IP can be used for VPN.

Solution 2)
Keep the DMZ with the new IP-subnet and move the server that uses the port TCP/443 at the moment to that DMZ. That will also free the interface-IP of the ASA so it can be used for VPN.

Sent from Cisco Technical Support iPad App