Re: AnyConnect VPN using same public IP for multiple FQDNs

Elude · ‎10-02-2023

AnyConnect profile that is currently in use has multiple FQDNs using the same public IP address. Example below:

abcvpn.com > 1.1.1.1

abcvpn1.com > 1.1.1.1

I want to create a new profile while implementing Cisco Duo and a new FQDN but Mgmt wants to continue to use the same FQDN and same IP for the new AnyConnect profile. abcvpn.com. My question is will using the same FQDN and public ip for the new profile present any issues? The profiles will all be on the same ASA.

Rob Ingram · ‎10-02-2023

@Elude you can use a different FQDN as long as it resolves to the same IP. You should replace your certificate and include a SAN entry for the new FQDN or use a wildcard cert, this will avoid any certificate errors.

Elude · ‎10-02-2023

That's the thing though they don't want to use a new FQDN. They want to continue to use the same FQDN abcvpn.com and same public IP address for the new profile that I want to create to utilize Cisco Duo. I don't see how that is going to work when i apply the same FQDN abcvpn.com using the same public ip all while maintaining the working VPN profile that is using abcvpn.com and bringing up the new VPN profile using Cisco Duo. I'm sorry if it sounds confusing just trying to understand how it works and implement this new profile without disturbing Production. If both the current profile and the new profile both use the same FQDN and same public how will it know which profile to download when connecting ?

Rob Ingram · ‎10-02-2023

@Elude ok, create a new connection profile/tunnel-group with a different alias or url ie., fqdn/duo which uses duo for authentication.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html