Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
5
Replies

assign external ip for anyconnect ssl question

pmlam3274
Level 1
Level 1

‎08-07-2013 08:41 PM - edited ‎02-21-2020 07:04 PM

Hi,

Does anyone know if i can assign a seperate external ip address to intercept anyconnect ssl request other then assign it to an interface, which normally is external/outside?   This is for the ASA 5520 model.

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-07-2013 09:17 PM

You have to assign an interface (by name) to accept the incoming crypto IKE connections. While it technically doesn't have to be the "outside" interface it does have to have be an interface with a publicly routable address that would not have asymmetric routing.

In 99.99% of use cases that means using the outside interface. In fact, I've never seen anyone use anything but "outside".

0 Helpful

pmlam3274
Level 1
Level 1

‎08-07-2013 09:42 PM

Thanks for replay my question. I understand the part that it will be assign to an interface however I would like to use a different public ip address rather than the one assigned to an outside interface. I was thinking about doing a twice nat to nat the outside public to another publicc io address but couldn't get it to work. Any know the answer to that, please let me know.


Sent from Cisco Technical Support Android App

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pmlam3274

‎08-07-2013 09:46 PM

What's your rationale for not wanting to use the outside interface address?

If it's already in use on port 443 for some other already-NATted server, it's usually easier to make that server NAT to a different IP and just update the DNS record for the FQDN that outside access comes in for that server.

0 Helpful

pmlam3274
Level 1
Level 1
In response to Marvin Rhoads

‎08-08-2013 12:15 PM

the reason i need to use a different public ip address is because my circuit service provider also has a firewall that only allow certain ip address for inbound ssl traffic.  i want the outside interface stay with the same ip address since my company would like stay with that ip for all global nat translation.  Thanks Marvin for answering my question.  now i have decide to change the global nat statement to use an ip address instead the interface and change the outside interface ip address. 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to pmlam3274

‎08-08-2013 12:25 PM

You're welcome. Please rate helpful replies and mark your question as answered if it has been.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents