cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
579
Views
0
Helpful
4
Replies

Anyconnect ASA Non interface IP

Alocaurd
Beginner
Beginner

Hi All, 

 

We have an ASA and have purchased 100 anyconnect licenses. We are currently using openvpn on our main IP address on port 443 and 1194. we have a /29 from our isp. We would like to transition our users to AnyConnect slowly. It appears to not be possible to put our anyconnect on any IP other than what is on our outside interface. Is it possible to have our users connect to anyconnect on a different port, and then easily change it after Openvpn is fully decommissioned? Or is it possible to filer via incoming hostname if the user gets forwarded to openvpn or get anyconnect on 443? 

Alternatively, is it possible to create a second context and have anyconnect run on it, and get a second external IP on the outside interface? Traffic would have to be routed out our main context still though, as we have external services that are restricted to that IP only. 

Or would it also be an option to change our interface IP to the IP we want to use for anyconnect, but then port forward the Openvpn on what used to be the main ip still? Again, users traffic would have to show as coming from that original main ip so as not to be restricted. 

 

Also open to other suggestions. 

4 Replies 4

webvpn

enable outside 

port xxx

dtls port yyy

 

this can change the port for any connect.

Thanks for the reply. 

 

We would like to use the standard 443 ports for both anyconnect and for openvpn. Is it possible with NA/PAT or ACL or something to allow Anyconnect users to connect on another IP in the subnet, not the one on the interface itself? If the interface IP is xxx.xxx.xxx.82/29, can we have the anyconnect run in xxx.xxx.xxx.81? 

@Alocaurd 

No it's not possible to connect a VPN on the ASA to an IP address other than the IP address of an interface.

Why not use IPSec for AnyConnect and carry on using tcp/443 for openvpn?

Thanks Rob.

 

If we have the customer operating as normal on its outside1 interface, and we get the ISP to provide a new subnet on a new interface (lets call it outside2) and we run the anyconnect on outside2, are we able to use policy routing or NAT/PAT to router VPN user traffic out Outside1? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: