Re: ASA 5525-X Remote Access VPN via Dynamic DNS

mohdumer · ‎05-02-2024

Dear Guru's

I am using Cisco ASA 5525-X and the Software version is 9.4(2).
Device Manager version is 7.5(2).
Internet is terminated on ASUS Router and WAN interface is configured via PPPoE.
ASA is behind the ASUS router. (ONT -> Asus Router -> ASA 5525-X -> Core Switch -> Servers)
ASA is getting Local IP from the router.
I need to configure Remote Access VPN so that the users can access the servers placed inside the office.
As on the Firewall outside interface does not has Public IP, so what i understand is that we need to configure DDNS on the ASA.

For DDNS i need to configure a domain on NO-IP and then the same should be configured on DDNS settings in ASA.
Here i need to confirm from the Guru's that whether the Remote Access VPN shall get establish via DDNS or not?

If yes, please share the document or any video related to the query so that i can figure out to achieve this task.
If not, can you people share a better solution to achieve this task.

Topology is attached for your further reference.

tvotna · ‎05-02-2024

Your ASA is not assigned public IP, but your Asus router probably is, right? In this case you can configure static NAT on the Asus router for the ASA private outside interface IP address and remote clients will be able to connect to this NAT IP address over TCP/443.

mohdumer · ‎05-02-2024

On ASUS Router, already port forwarding is being dong for some other IPs. As 2 servers & 1 Fortigate is also configured on the other ports of ASUS router.

This is the main reason i was asking for DDNS.

tvotna · ‎05-02-2024

Is the "Asus Router -> ASA 5525-X" subnet assigned public or private IP addresses? If it is private, how would DDNS help?

mohdumer · ‎05-02-2024

The ASUS WAN interface is configured via PPPoE and getting Dynamic Public IP.
The ASUS LAN interface is configured via private IP, ASA is also getting private IP.

If DDNS is not helpful, what solution do u recommend or how can i resolve this issue.
Do i need separate ISP connection or do I need to remove the ASUS router and directly terminate the ISP connection on ASA.

I cannot directly terminate the ISP line on ASA, as Fortigate firewall is also getting the Internet from the ASUS router.

Basically on port 0/1 of ASUS is the ASA, and on port 0/2 port of the ASUS is the Fortigate.

tvotna · ‎05-02-2024

You can add another port forwarding rule on the router. AnyConnect and ASA are able to use any port for SSL VPN, not necessarily TCP/443. On ASA the port is configured as follows:

webvpn
 enable outside
 port <X>
 dtls port <Y>

Same can be done via GUI. The "port <X>" opens TCP port for initial connect. The "dtls port <Y>" opens UDP port for DTLS. This means that for best performance you need two port forwarding rules. When using AnyConnect client the port is specified in the Connect To box in a traditional way as "https://<IP>:<X>". Then DTLS UDP port should be negotiated automatically.

Don't forget to upgrade the ASA to the latest supported version for this platform.

HTH

MHM Cisco World · ‎05-02-2024

DDNS is use the router public IP' and anyconnect need to know this IP.

And for ASA static NAT in router is enough.

In end ASA IP keep static and what change is router public IP.

MHM

MHM Cisco World · ‎05-02-2024

Do DDNS for router public IP and use dns name as GW in anyconnect profile.

I dont think there is other workaround

Goodluck

MHM