cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1249
Views
3
Helpful
5
Replies
Highlighted
Beginner

ASA: Use alternative IP address for VPN connections

Hi Magnus,

our ASA is located behind an access router. The transfer network between the router
and the ASA uses private IP addresses. The access router routes a network of public
ip addresses to our ASA.
I want to assign a public IP address to the ASA and use this address to
set up some VPN tunnels to our branches.

I wonder if the ASA can establish VPN connections using an IP address
that is different from the IP address of the outside interface. Furthermore

the ASA should answer VPN setup requests to the public IP address.

Regards,

Mark

5 REPLIES 5
Highlighted
Cisco Employee

I do not think this is do-able. But I would suggest to ask this question in the VPN forum to double check.

I hope it helps.

PK

Highlighted
Beginner

Are there no ideas?

I wonder if one can configure a kind of "virtual ip address"

like in a redundant setup or in a cluster configuration.

Highlighted
Cisco Employee

Yes, this is possible; you will have NAT on your "outside" router translating the ASA private IP address to a public IP address so hosts on the Internet have a public IP to reach the ASA at and the ASA will accept the VPN on the "private" address. On the ASA to accomodate the NAT thats happening on the router, you will need to add the command "isakmp nat-traversal" (Verify with sh run all | include isakmp nat-traversal). The VPN connections will negotiate to UDP 4500 once NAT is detected.

Please remember to rate all of the posts and mark the question as resolved if this addressed the issue.

Highlighted

You can configure a vpn cluster, with just one node, and the use another private address for that, then you can do a NAT to that private address in your router, but the proper way would be to make your isp change the transport network to the public range instead, still you need the vpn cluster to use another address to terminate vpns on the asa. Also this only works for IPSec based vpn, i'm not 100% sure about ssl based vpn.

Highlighted

Nice idea. But I'll follow your comment to better use a public IP address on the outside interface.

Regrettably there seems to be no solution, to use an alternative or virtual ip address

for the vpn tunnel endpoint.

Thanks for all answers.

Regards,

Mark

Content for Community-Ad