Anyconnect ASA Non interface IP

Alocaurd · ‎12-08-2020

Hi All,

We have an ASA and have purchased 100 anyconnect licenses. We are currently using openvpn on our main IP address on port 443 and 1194. we have a /29 from our isp. We would like to transition our users to AnyConnect slowly. It appears to not be possible to put our anyconnect on any IP other than what is on our outside interface. Is it possible to have our users connect to anyconnect on a different port, and then easily change it after Openvpn is fully decommissioned? Or is it possible to filer via incoming hostname if the user gets forwarded to openvpn or get anyconnect on 443?

Alternatively, is it possible to create a second context and have anyconnect run on it, and get a second external IP on the outside interface? Traffic would have to be routed out our main context still though, as we have external services that are restricted to that IP only.

Or would it also be an option to change our interface IP to the IP we want to use for anyconnect, but then port forward the Openvpn on what used to be the main ip still? Again, users traffic would have to show as coming from that original main ip so as not to be restricted.

Also open to other suggestions.

MHM Cisco World · ‎12-08-2020

webvpn

enable outside

port xxx

dtls port yyy

this can change the port for any connect.

Alocaurd · ‎12-09-2020

Thanks for the reply.

We would like to use the standard 443 ports for both anyconnect and for openvpn. Is it possible with NA/PAT or ACL or something to allow Anyconnect users to connect on another IP in the subnet, not the one on the interface itself? If the interface IP is xxx.xxx.xxx.82/29, can we have the anyconnect run in xxx.xxx.xxx.81?

Rob Ingram · ‎12-09-2020

@Alocaurd

No it's not possible to connect a VPN on the ASA to an IP address other than the IP address of an interface.

Why not use IPSec for AnyConnect and carry on using tcp/443 for openvpn?

Alocaurd · ‎12-14-2020

Thanks Rob.

If we have the customer operating as normal on its outside1 interface, and we get the ISP to provide a new subnet on a new interface (lets call it outside2) and we run the anyconnect on outside2, are we able to use policy routing or NAT/PAT to router VPN user traffic out Outside1?