cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
0
Helpful
1
Replies

Anyconnect on other interface

peterzork
Level 1
Level 1

Hello,

I have a strange issue when enabling SSL vpn on a second interface on ASA 5510.

The ASA gots a /30 connected on outside interface to the Internet but i can't use that ip on port 443 because another service is connected to it.

We got another subnet which is routed to the outside interface ip. This /28 subnet got its own interface on the ASA like a dmz.

Now i want to use also this extra subnet interface for SSL vpn, so i enabled it but it seems some acl is not allowing me.

I always got a deny to the DMZ interface ip , no matter what kind of permit rules i create on all acl's.

some drawing :

-----Internet------ASA IP/30 ( Outside IF )------------LAN ( Inside IF )-----

                                   |

                                   |

                              DMZ IF /28 ( SSL enabled on this IF )

                                   |

                                   |

Does any one know if this suppose to work ?

Kind Regards,

Peter

1 Reply 1

That won't work the way you want:

1) The ASA can only be accessed on the nearest interface. So if the user is on the internet, the outside-ip has to be used.
2) Interface-ACLs never control traffic that is for the ASA itself.

How to solve that:

Solution 1)
Remove the DMZ and use the new addresses for NAT. The service that uses the port TCP/443 will be changed to one if the new IPs and the ASA-IP can be used for VPN.

Solution 2)
Keep the DMZ with the new IP-subnet and move the server that uses the port TCP/443 at the moment to that DMZ. That will also free the interface-IP of the ASA so it can be used for VPN.


Sent from Cisco Technical Support iPad App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: