Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2297
Views
4
Helpful
9
Replies

Both port Cisco Remote ACCESS VPN

Go to solution
sergei-bilan
Level 1
Level 1

‎05-23-2024 08:19 AM

Hi Team,

 I have a quastion) Can I use two ports to connect to a VPN gateway on a Cisco ASA? For example, the default connection looks like this: ravpn.testdomai.com and we understand that the connection is via port 443 by default, Is it possible to configure it so that both ravpn.testdomai.com and ravpn.testdomai.com:8443 are connected, for example, where in the second option do we specify the port?

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to sergei-bilan

‎05-23-2024 09:20 AM

That better' you use memberOf to make AD assign different group for each user.

MHM

View solution in original post

Go to solution
Sheraz.Salim
VIP
VIP
In response to sergei-bilan

‎05-23-2024 09:48 AM

Sorry I have not clear the second option in detail earlier in my post. Two VPN endpoint can be acheived if ASA AnyConnect VPN with two public interfaces, commonly known as Dual ISP setup, for redundancy and load balancing purpose.

interface GigabitEthernet0/0
 nameif outside1
 security-level 0
 ip address X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside2
 security-level 0
 ip address Y.Y.Y.Y 255.255.255.0
!

 

please do not forget to rate.

View solution in original post

9 Replies 9

Go to solution
MHM Cisco World
VIP
VIP

‎05-23-2024 08:26 AM

As I know the port is config for all webvpn not per tunnel-group.

But let me make double check.

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎05-23-2024 08:45 AM

unfortunately NO you can not.

but why you want to make Anyconnect use two port to separate the them to group ?

MHM 

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎05-23-2024 09:01 AM

Want to isolate traffic

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sergei-bilan

‎05-23-2024 09:03 AM - edited ‎05-23-2024 09:05 AM

If you use local username then you can use group-lock for username and hence each group have it different policy

https://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/117634-configure-asa-00.html

MHM

0 Helpful

Go to solution
sergei-bilan
Level 1
Level 1
In response to MHM Cisco World

‎05-23-2024 09:05 AM

No local, i use AD nps

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to sergei-bilan

‎05-23-2024 09:20 AM

That better' you use memberOf to make AD assign different group for each user.

MHM

Go to solution
Sheraz.Salim
VIP
VIP

‎05-23-2024 08:42 AM

No, you cannot directly connect to a VPN gateway on a Cisco ASA using two ports simultaneously for AnyConnect SSL VPN access.

Here's why:

ASA Limitation: Cisco ASA listens for AnyConnect connections on a single port. By default, this is port 443, which is also commonly used for HTTPS traffic.

Client Configuration: AnyConnect client software is designed to connect to a specific hostname or IP address on a pre-defined port.

However, there are alternative approaches to achieve a similar outcome:

  1. Change Default ASA Port: You can configure the ASA to listen for AnyConnect connections on a different port, like 8443 in your example. This would involve modifying the ASA configuration.

  2. Separate VPN Endpoints: If you require redundancy or want to isolate traffic, it's possible to set up two separate VPN endpoints on the ASA. Each endpoint would have its own hostname or IP address and potentially a different port (443 for one and 8443 for the other). Clients would then connect to the specific endpoint they need.

Here are some resources that you might find helpful:

please do not forget to rate.

Go to solution
sergei-bilan
Level 1
Level 1
In response to Sheraz.Salim

‎05-23-2024 09:00 AM

The second option suits me on one ASA with two VPN endoints. Can you tell me how to implement this? You can add a second connection point without a special port

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to sergei-bilan

‎05-23-2024 09:48 AM

Sorry I have not clear the second option in detail earlier in my post. Two VPN endpoint can be acheived if ASA AnyConnect VPN with two public interfaces, commonly known as Dual ISP setup, for redundancy and load balancing purpose.

interface GigabitEthernet0/0
 nameif outside1
 security-level 0
 ip address X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
 nameif outside2
 security-level 0
 ip address Y.Y.Y.Y 255.255.255.0
!

 

please do not forget to rate.
Customers Also Viewed These Support Documents