Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
0
Helpful
3
Replies

Anyconnect on guest VLAN with same FQDN

Jernej Vodopivec
Level 4
Level 4

‎04-30-2016 01:38 AM - edited ‎02-21-2020 08:47 PM

Hi, I'd like to enable users connected to guest vlan to establish VPN in same way they do when connected on internet.

I have ASA with 3 interfaces: inside, guest, outside. Clients establish Anyconnect VPN session by entering vpn.domain.com as host address in anyconnect window when connecting from the internet.

I'd like to enable users connected on guest interface to be able to establish vpn connection to same FQDN name as they're using when connecting from internet: vpn.domain.com. Goal is to reach servers connected on inside interface via VPN connection.

I could do this by enabling SSL on guest vlan and install separate DNS server on guest vlan to provide ASA's guest vlan IP address when resolving vpn.domain.com. I don't prefer this solution because I need additional server and maintain separate DNS zone.

I was thinking using DNS doctoring on ASA but when I run command "nat (inside,outside) source static asaPrivateIP interface dns" ASA disables all services running on public interface. So this is also no-go solution.

Any other idea?

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎04-30-2016 07:08 AM

Yes, I have done this in the past for authorized guest users. And you are on the correct path:

- You will need to enable VPN on the Guest interface

- Ensure that DNS resolves properly. I don't know enough about your setup but you should be able to do this from the DNS server that you already have for your Guest VLAN (unless you are using some public server like 8.8.8.8). 

Thank you for rating helpful posts!

0 Helpful

Jernej Vodopivec
Level 4
Level 4
In response to nspasov

‎04-30-2016 07:24 AM

Hi Neno,

users located in guest vlan are using google's DNS servers. Company is using Amazon's DNS server for "domain.com".

I could modify settings so guest users would start using company's DNS servers as DNS forwarders. These DNS servers are currently configured with domain.local zone. And I'd also have to modify access list to permit this traffic from guest->inside network.

But I don't like this solution because:

- I don't want to permit any traffic from guest network to inside network

- I'd have to maintain separate DNS zone for this (there is one already hosting on Amazon for internet clients)

Any idea?

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to Jernej Vodopivec

‎05-01-2016 07:04 PM

In that case a dedicated server for the guest dmz would be the easiest solution. 

Thank you for rating helpful posts!

0 Helpful
Customers Also Viewed These Support Documents