cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2777
Views
0
Helpful
7
Replies

ASA 5520: SSL VPN using different IP than the ASA's Public IP

Hi guys,

I am trying to configure a SSL VPN on a Cisco ASA5520.

Unfortunately the port 443 of the OUTSIDE interface of ASA is already in use by Microsoft Outlook Web Access and I cannot change the configuration of Outlook. This configuration already in place prevents me to use the public IP of the ASA as Cisco VPN ip address for the webpage.

I don't either want to use a different port so to keep life easy for the users.

I have some public IPs available that I can use so I wanted to use one of them instead of the ASA's OUTSIDE interface. Any idea about how I could do it?

Thanks,

Dario

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Unfortunately you can't use any other public ip address except the ASA outside interface IP to terminate the SSL VPN.

The only options you have is to either change the outlook to use a different port, or the SSL VPN to use a different port.

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

Unfortunately you can't use any other public ip address except the ASA outside interface IP to terminate the SSL VPN.

The only options you have is to either change the outlook to use a different port, or the SSL VPN to use a different port.

Or maybe it's easier to change the outlook web mail to use a different public IP. Just have to configure the DNS to resolve to the new public IP.

Hi Jennifer.

Unfortunately I can't change the Mail server's public IP. I will use a different port.

Thanks,

Dario

Can you not just change the WebMail address? the Mail server itself (port 25) can continue to use the same Outside IP

Hi Jennifer,

I don't think so as Exchange uses the same address for all its services (e.g. mail.mycompany.com).

Changing that address would force me to update the DNS (feasible), change the DMZ/Firewall rules (feasible) and ask the telco to change the reverse DNS to the new IP (unfortunately not feasible).

This situation makes me think that the optimal solution is to use a different port and explain the users to use it :-). Unless I can forward all the traffic coming to the ASA and destined to the public IP that I want to use for the VPN, to the external IP of the ASA firewall. Do you think it could be done?

Thanks,

Dario

Ahh, sometimes people use different name for exchange web mail (eg; webmail.mycompany.com), that's why my suggestion earlier.

But if it's not, then different port for SSL VPN would be the only option.

pabloarturo
Level 1
Level 1

hi,

if you change the ip address in the outside interface, and NAT the ip than was before to the exchange server