Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16849
Views
15
Helpful
13
Replies

Cisco Anyconnect on different IP address

roesch4alc
Level 1
Level 1

‎09-14-2016 07:36 AM - edited ‎02-21-2020 08:58 PM

Hi all,

I need the latest information regarding this topic: https://supportforums.cisco.com/discussion/11591606/anyconnectwebvpn-different-ip

To this time, it was not possible to change the interface ip address.

Is it possible in some way to get the SSL VPN running on a different external ip address (Customer has /29 subnet) than the interface ip address? Did somebody try that via NAT?

Best Regards

Sebastian

Labels:
0 Helpful
13 Replies 13

Jeet Kumar
Cisco Employee
Cisco Employee

‎09-14-2016 07:56 AM

Hi Sebastian,

For connecting Anyconnect, you can only use the IP address which is configured on one of the interface of the ASA, it doesn't have to be your main internet facing interface. So you have 2 options:

1. Add a public IP on one of the interface of the ASA and configure it for the SSL.

2. Second option is to use a NAT, but that has to be done connected to the ASA and it will forward the connection to the ASA.

I hope this Answer your query. Please let me know if you have any additional question.

Thanks

Jeet Kumar

0 Helpful

Joshua Wheaton
Level 1
Level 1
In response to Jeet Kumar

‎06-02-2018 02:48 PM

I'm confused. If I use another interface on the ASA and configure it with a public IP address won't that be a conflict? If I have two interfaces for the same network which one will the ASA use to reach the default route? I didn't think that a router or firewall would let you assign two different interfaces in the same subnet. Are you suggesting getting a second ISP for option 1?

 

Has anyone tried option 2? I was thinking about an inside VLAN interface for the AnyConnect configuration and configuring a static 1-to-1 NAT for the Public IP address.

0 Helpful

latenaite2011
Level 4
Level 4
In response to Joshua Wheaton

‎08-10-2020 06:07 PM

Hi Sebastian and everyone,

 

Were you able to get a response to option #2?  Does anyone know how to do this with option number?

 

TIA,

Paula

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to latenaite2011

‎08-10-2020 08:26 PM - edited ‎08-10-2020 08:26 PM

SSL VPN traffic needs to terminate on the interface that receives it. You cannot come in on the outside interface of an ASA and access the VPN service bound to some other interface on the same ASA.

latenaite2011
Level 4
Level 4
In response to Marvin Rhoads

‎08-10-2020 09:08 PM

Thanks Marvin for the quickly response.  How about using another IP that is on the same subnet on the outside of the ASA and using NAT configuraiton.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to latenaite2011

‎08-10-2020 09:25 PM

An ASA can ONLY terminate remote access SSL VPN (AnyConnect) client sessions on the actual interface address they arrive on at initial ingress.

You cannot use a NAT, you cannot use a secondary address, you cannot use another interface address etc.

latenaite2011
Level 4
Level 4
In response to Marvin Rhoads

‎08-10-2020 09:11 PM

Hey Marvin,

Do you know if there is a map SAML account and restrict that to a certain VPN tunnel profile like Active Directory\LDAP works?

 

Thank you!

0 Helpful

latenaite2011
Level 4
Level 4
In response to Marvin Rhoads

‎08-10-2020 09:19 PM

Hi Marvin,

 

Below is what I am trying to figure but for Azure SAML SSO:  https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc7.

 

Thank you!

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to latenaite2011

‎08-10-2020 09:28 PM - edited ‎08-10-2020 09:29 PM

SAML authentication cannot use LDAP attribute-maps per se.

If you use an external authorization server (like ISE or Microsoft NPS) you can send change of authorization for a user session based on LDAP attributes (username, group membership etc.) to make sure the user is put into the correct connection profile / tunnel-group.

latenaite2011
Level 4
Level 4
In response to Marvin Rhoads

‎08-10-2020 09:39 PM

Thanks Marvin for the replies.

 

Wanted to confirm on SAML authentication and mappings.  We'll have to look at other alternatives.  Thanks!

0 Helpful

colebrayden94
Level 1
Level 1

‎09-26-2016 07:52 AM

The sheer number of router suppliers applying the IP 192.168.0.1 as a default IP address for their routers isn't small. The good thing is that this particular IP address can be altered and it's an important part of securing the wireless system. The router IP can easily be edited through the router page. Primarily, the IP is there to give a distinctive identity for units inside the computer network. This specific numeric Identification is composed of 4 sections of numbers, divided by dots. A particular IP range where this particular IP address sits is usually the one from 192.168.0.0 up to 192.168.255.255.

0 Helpful

pccw258103
Level 1
Level 1

‎08-11-2020 03:24 AM

complicate solution

ASA: Multi-Context Mode Remote-Access (AnyConnect) VPN
one context for SSL VPN AnyConnect
One context for normal traffic
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pccw258103

‎08-11-2020 05:25 AM

I would consider separate contexts to effectively be separate ASA instances.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents