cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
877
Views
0
Helpful
1
Replies
Highlighted
Beginner

ASA - Multiple IPs for VPN

I'm setting up Anyconnect to replace our Cisco IPsec VPN clients since they are end of life. A part of the process is to get an SSL cert and a FQDN to use for it. I've got that and it's applied to the ASA just fine. Now we don't get those warnings about it not being safe and such. 

The issue is that we have to use a non-standard port for the SSL VPN since 443 is already being forwarded to an internal device. I have unused public addresses at the outside interface of the ASA but I don't know how I could use them. I would like to have a different IP address for the SSL VPN so I don't have to mess with the port forward that is currently in place. I've read up on proxy arp but that seems like it could be problematic. I could have someone connect another cable to a different interface on the ASA (5512-X) and assign that interface the static I want for the VPN but I am not sure that will work well. We have site to site VPNs in place as well. Can I have the ASA listen on two different interfaces at the same time?

Recap:

IP 1 - Primary NAT address, Site to Site tunnels terminate here, Some Cisco IPsec client VPNs terminate

IP 2 - Want to have all Anyconnect clients connect here, migrate all Cissco IPsec legacy clients until they are all on Anyconnect.

Key is that I can't stop listening on IP 1 for the site to site connections.

Thoughts?

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

On the ASA, you can't use the extra IPs for VPN.

If tcp/443 is already in use for an external server, then I would reconfigure the DNS-entry for this to use the second IP which has to be forwarded to the internal server. Then you can use the interface-IP of the ASA for AnyConnect.

View solution in original post

1 REPLY 1
Highlighted
VIP Mentor

On the ASA, you can't use the extra IPs for VPN.

If tcp/443 is already in use for an external server, then I would reconfigure the DNS-entry for this to use the second IP which has to be forwarded to the internal server. Then you can use the interface-IP of the ASA for AnyConnect.

View solution in original post

Content for Community-Ad