Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
9
Replies

ASA 5520 use secondary public IP as termination point

Go to solution
ij@techotel.no
Level 1
Level 1

‎01-10-2019 01:22 AM

Hi

Got an ASA 5520 and a block og public ip addresses. I uses a.b.c.d as the public IP and that is used for the WAN interface. I would then like to use a.b.c.e as the ip that the IPSec Site-2-Site VPN connects to from the remote networks. Not sure how to do it or if it is possible. Some how I need to forward the public IP a.b.c.e to the VPN service.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to ij@techotel.no

‎01-10-2019 01:43 AM

no. what exactly you after?

 

you want your site-to-site vpn to connect to a different public ip address. any reason why is that?

please do not forget to rate.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Sheraz.Salim
VIP
VIP

‎01-10-2019 01:34 AM

so your ASA outside interface has an ip address a.b.c.d configured. but you want yours site to site vpn to use another public ip address.

 

i thing that not possible as  your other address is not in service. and is not binded to any outside interface.

please do not forget to rate.
0 Helpful

Go to solution
ij@techotel.no
Level 1
Level 1
In response to Sheraz.Salim

‎01-10-2019 01:38 AM

Is it then possible to bind two (or more) public IP's to the same (WAN)interface?

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to ij@techotel.no

‎01-10-2019 01:43 AM

no. what exactly you after?

 

you want your site-to-site vpn to connect to a different public ip address. any reason why is that?

please do not forget to rate.
0 Helpful

Go to solution
ij@techotel.no
Level 1
Level 1
In response to Sheraz.Salim

‎01-11-2019 02:53 AM

The guys in charge had an idea of less activity if it wasn't the IP found by trace back from accessing the internet from inside the network. But thanks for letting me know that it is not possibly. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ij@techotel.no

‎01-11-2019 04:18 AM

You can achieve what the guys in charge want by natting the outbound internet traffic using a different IP address. It's probably natted behind the outside interface IP address currently, it would just need modifying to another IP address in your public address range.

HTH
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Rob Ingram

‎01-11-2019 04:22 AM - edited ‎01-11-2019 04:23 AM

@Rob IngramI see what you saying. even in that case though the remote side need to connect to public ip address of the ASA outside interface. Than nat can put in place for the another public ip address. at the end of the day remote peer need a ip address that is configured on the outside interface.

 

 

 

please do not forget to rate.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Sheraz.Salim

‎01-11-2019 04:28 AM

The VPN would still terminate on the outside interface IP address. The nat suggestion is for outbound internet traffic only, nothing to do with VPN, but they achieve the result of the "guys in charge".
0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Rob Ingram

‎01-11-2019 04:34 AM

do you have any example config. interested to see them.

 

 

please do not forget to rate.
0 Helpful

Go to solution
ij@techotel.no
Level 1
Level 1
In response to Sheraz.Salim

‎01-11-2019 04:39 AM

We skipped the idea and just configured as "normal".

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents