Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2694
Views
0
Helpful
7
Replies

ASA 5520: SSL VPN using different IP than the ASA's Public IP

Go to solution
Dario Francesco Vanin
Level 1
Level 1

‎11-07-2012 06:34 PM

Hi guys,

I am trying to configure a SSL VPN on a Cisco ASA5520.

Unfortunately the port 443 of the OUTSIDE interface of ASA is already in use by Microsoft Outlook Web Access and I cannot change the configuration of Outlook. This configuration already in place prevents me to use the public IP of the ASA as Cisco VPN ip address for the webpage.

I don't either want to use a different port so to keep life easy for the users.

I have some public IPs available that I can use so I wanted to use one of them instead of the ASA's OUTSIDE interface. Any idea about how I could do it?

Thanks,

Dario

Labels:
Preview file
117 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-07-2012 07:01 PM

Unfortunately you can't use any other public ip address except the ASA outside interface IP to terminate the SSL VPN.

The only options you have is to either change the outlook to use a different port, or the SSL VPN to use a different port.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-07-2012 07:01 PM

Unfortunately you can't use any other public ip address except the ASA outside interface IP to terminate the SSL VPN.

The only options you have is to either change the outlook to use a different port, or the SSL VPN to use a different port.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎11-07-2012 07:03 PM

Or maybe it's easier to change the outlook web mail to use a different public IP. Just have to configure the DNS to resolve to the new public IP.

0 Helpful

Go to solution
Dario Francesco Vanin
Level 1
Level 1
In response to Jennifer Halim

‎11-07-2012 07:08 PM

Hi Jennifer.

Unfortunately I can't change the Mail server's public IP. I will use a different port.

Thanks,

Dario

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Dario Francesco Vanin

‎11-07-2012 07:12 PM

Can you not just change the WebMail address? the Mail server itself (port 25) can continue to use the same Outside IP

0 Helpful

Go to solution
Dario Francesco Vanin
Level 1
Level 1
In response to Jennifer Halim

‎11-07-2012 07:19 PM

Hi Jennifer,

I don't think so as Exchange uses the same address for all its services (e.g. mail.mycompany.com).

Changing that address would force me to update the DNS (feasible), change the DMZ/Firewall rules (feasible) and ask the telco to change the reverse DNS to the new IP (unfortunately not feasible).

This situation makes me think that the optimal solution is to use a different port and explain the users to use it :-). Unless I can forward all the traffic coming to the ASA and destined to the public IP that I want to use for the VPN, to the external IP of the ASA firewall. Do you think it could be done?

Thanks,

Dario

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Dario Francesco Vanin

‎11-08-2012 12:00 AM

Ahh, sometimes people use different name for exchange web mail (eg; webmail.mycompany.com), that's why my suggestion earlier.

But if it's not, then different port for SSL VPN would be the only option.

0 Helpful

Go to solution
pabloarturo
Level 1
Level 1

‎03-25-2013 10:05 PM

hi,

if you change the ip address in the outside interface, and NAT the ip than was before to the exchange server

0 Helpful
Customers Also Viewed These Support Documents