Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
5
Helpful
5
Replies

Anyconnect without direct Internet Address

Koba1
Level 1
Level 1

‎01-24-2018 08:02 AM - edited ‎03-12-2019 04:57 AM

Hello Guys,

i am facing an issue when ISP have some problems with providing me dedicated internet circuit with public ip, however i need to configure anyconnect vpn for remote users.

Is it possible to configure anyconnect if my ASA on the outside interface will have private ip which will be NATed to public on the ISP router side?

 

Never tried that and didn't find any documentation related to my case. What are the requirements? Where to dig? I think there could be many issues in future...

Any ideas? o_0

Labels:
0 Helpful
5 Replies 5

Bogdan Nita
VIP Alumni
VIP Alumni

‎01-24-2018 09:04 AM

Yes this is possible, you just have to do a static nat on the ISP device for tcp 443 to the private IP on the ASA. ASA config for anyconnect is the same as you would have the public IP on the ASA.

 

HTH

Bogdan

0 Helpful

Koba1
Level 1
Level 1
In response to Bogdan Nita

‎01-24-2018 09:33 AM

Thanks for encouragement -)
I thought about that, but that's in theory. Did you or someone configure that? were there any issues later or during configuration?

I am trying to assess do i need to wait for direct ip or try with NAT first or just keep NAT and not even asking for direct public anymore..... i am trying to avoid wasting my and other ppl time with such "non-standard" configuration.

Any other idea are welcome!
Warm Regards,
0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Koba1

‎01-25-2018 02:37 AM

I configured it a couple of times for small offices in order to be able to connect to other devices behind the ASA. Did not have any problems with the anyconnect.

If you have the possibility to have the public IP on the ASA I would say go for it, it makes troubleshooting a little more easier, but it is also a question of budget and how critical is the vpn for the business.

rasmus.elmholt
Level 7
Level 7

‎01-25-2018 04:01 AM

Hi

This is definitely possible. AnyConnect is able to use SSL VPN on port 443.
Just forward port 443 on both TCP and UDP and everything should be working.
AnyConnect is able to use UDP for better performance(DTLS) if you activate it.
Done this a couple of times to the ASAv in a hostingcenter.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac09adminreqs.html#99554
0 Helpful

Koba1
Level 1
Level 1
In response to rasmus.elmholt

‎01-25-2018 06:33 AM

Thanks everyone,

that answers my question.

 

 

Regards,

 

0 Helpful
Customers Also Viewed These Support Documents