our ASA is located behind an access router. The transfer network between the router
and the ASA uses private IP addresses. The access router routes a network of public
ip addresses to our ASA.
I want to assign a public IP address to the ASA and use this address to
set up some VPN tunnels to our branches.
I wonder if the ASA can establish VPN connections using an IP address
that is different from the IP address of the outside interface. Furthermore
the ASA should answer VPN setup requests to the public IP address.
Yes, this is possible; you will have NAT on your "outside" router translating the ASA private IP address to a public IP address so hosts on the Internet have a public IP to reach the ASA at and the ASA will accept the VPN on the "private" address. On the ASA to accomodate the NAT thats happening on the router, you will need to add the command "isakmp nat-traversal" (Verify with sh run all | include isakmp nat-traversal). The VPN connections will negotiate to UDP 4500 once NAT is detected.
Please remember to rate all of the posts and mark the question as resolved if this addressed the issue.
You can configure a vpn cluster, with just one node, and the use another private address for that, then you can do a NAT to that private address in your router, but the proper way would be to make your isp change the transport network to the public range instead, still you need the vpn cluster to use another address to terminate vpns on the asa. Also this only works for IPSec based vpn, i'm not 100% sure about ssl based vpn.
Nice idea. But I'll follow your comment to better use a public IP address on the outside interface.
Regrettably there seems to be no solution, to use an alternative or virtual ip address
for the vpn tunnel endpoint.
Thanks for all answers.