Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3179
Views
0
Helpful
6
Replies

Anyconnect to ASA with outside interface NATed

superduperlopez
Level 1
Level 1

‎04-02-2012 09:44 AM

Hi all,

I've been trying to get the following working for a couple a days now to no avail. The topology I have is as follows:

Internet --> Router (with Public IP) --> ASA (with Private IPs) --> LAN

What I'm trying to achieve is for remote workers to be able to use the Anyconnect client to connect back to the office.

I can get the solution working by using the Router as the SSL VPN encryption point, set up EIGRP between the Router and the ASA and redistribute the injected IPs (Anyconnect RRI) onto the routing protocol.

However, ideally, we would like for the ASA to be the encription point...the reason being that we have SSL VPN licences for the ASA but not for the router. To achieve this, I have tried various flavours of NATing in order to try give the ASA a public IP but everything I have tried so far doesn't seem to work..i.e. I can get it to a state where I can ping the "public" (NATed)  IP address of the ASA but the SSL VPN config won't work...i.e. when I try to browse to the very same IP address that I can ping nothing happens....

Any advice would be greatly appreciated.

Thanks.

Labels:
0 Helpful
6 Replies 6

fb_webuser
Level 6
Level 6

‎04-03-2012 10:15 AM

Hi, we featured your question on our Facebook page and we have received a lot of responses. Checkout this post for all the responses http://www.facebook.com/CiscoSupportCommunity/posts/274084426007050

---

Posted by WebUser Cisco NetPro from Cisco Support Community App

0 Helpful

Jeff Van Houten
Level 5
Level 5

‎04-07-2012 10:26 AM

Depending on the size of the address space given you by the ISP, you could subnet and give your inside router interface a public address on the same subnet as the Asa external interface. Then the clients could address the Asa directly.

Sent from Cisco Technical Support iPad App

0 Helpful

joshking1
Level 1
Level 1

‎11-19-2012 08:13 AM

Hi,

Please did you get to resolve this issue?

I currently have a similar setup as shown below and about to implement AnyConnect vpn on version 8.4(2)

Internet --> edge device (with Public IP) --> ASA (with Private IP) --> LAN

Thanks

0 Helpful

ALIAOF_
Level 6
Level 6
In response to joshking1

‎11-21-2012 09:16 AM

Take one of the avialable public IP you have from your ISP (hopefully you already have some) and NAT it to the ASA's internal IP.  Then configure AnyConnect on the ASA.

0 Helpful

joshking1
Level 1
Level 1
In response to ALIAOF_

‎11-21-2012 09:22 AM

Hi Mohammed,

Thanks for your response.

I already have the outside firewall interface being NATed as you suggested but it still didn't work.

But I found out the problem was with my tunnel-group and ssl-client config and it has been working for 2 days now !

I am now testing my split-tunnel and certificate authentication....

Regards,

Eric

0 Helpful

ALIAOF_
Level 6
Level 6
In response to joshking1

‎11-21-2012 09:29 AM

That is great that you got it working

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents