09-14-2016 07:36 AM - edited 02-21-2020 08:58 PM
Hi all,
I need the latest information regarding this topic: https://supportforums.cisco.com/discussion/11591606/anyconnectwebvpn-different-ip
To this time, it was not possible to change the interface ip address.
Is it possible in some way to get the SSL VPN running on a different external ip address (Customer has /29 subnet) than the interface ip address? Did somebody try that via NAT?
Best Regards
Sebastian
09-14-2016 07:56 AM
Hi Sebastian,
For connecting Anyconnect, you can only use the IP address which is configured on one of the interface of the ASA, it doesn't have to be your main internet facing interface. So you have 2 options:
1. Add a public IP on one of the interface of the ASA and configure it for the SSL.
2. Second option is to use a NAT, but that has to be done connected to the ASA and it will forward the connection to the ASA.
I hope this Answer your query. Please let me know if you have any additional question.
Thanks
Jeet Kumar
06-02-2018 02:48 PM
I'm confused. If I use another interface on the ASA and configure it with a public IP address won't that be a conflict? If I have two interfaces for the same network which one will the ASA use to reach the default route? I didn't think that a router or firewall would let you assign two different interfaces in the same subnet. Are you suggesting getting a second ISP for option 1?
Has anyone tried option 2? I was thinking about an inside VLAN interface for the AnyConnect configuration and configuring a static 1-to-1 NAT for the Public IP address.
08-10-2020 06:07 PM
Hi Sebastian and everyone,
Were you able to get a response to option #2? Does anyone know how to do this with option number?
TIA,
Paula
08-10-2020 08:26 PM - edited 08-10-2020 08:26 PM
SSL VPN traffic needs to terminate on the interface that receives it. You cannot come in on the outside interface of an ASA and access the VPN service bound to some other interface on the same ASA.
08-10-2020 09:08 PM
Thanks Marvin for the quickly response. How about using another IP that is on the same subnet on the outside of the ASA and using NAT configuraiton.
08-10-2020 09:25 PM
An ASA can ONLY terminate remote access SSL VPN (AnyConnect) client sessions on the actual interface address they arrive on at initial ingress.
You cannot use a NAT, you cannot use a secondary address, you cannot use another interface address etc.
08-10-2020 09:11 PM
Hey Marvin,
Do you know if there is a map SAML account and restrict that to a certain VPN tunnel profile like Active Directory\LDAP works?
Thank you!
08-10-2020 09:19 PM
Hi Marvin,
Below is what I am trying to figure but for Azure SAML SSO: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html#anc7.
Thank you!
08-10-2020 09:28 PM - edited 08-10-2020 09:29 PM
SAML authentication cannot use LDAP attribute-maps per se.
If you use an external authorization server (like ISE or Microsoft NPS) you can send change of authorization for a user session based on LDAP attributes (username, group membership etc.) to make sure the user is put into the correct connection profile / tunnel-group.
08-10-2020 09:39 PM
Thanks Marvin for the replies.
Wanted to confirm on SAML authentication and mappings. We'll have to look at other alternatives. Thanks!
09-26-2016 07:52 AM
The sheer number of router suppliers applying the IP 192.168.0.1 as a default IP address for their routers isn't small. The good thing is that this particular IP address can be altered and it's an important part of securing the wireless system. The router IP can easily be edited through the router page. Primarily, the IP is there to give a distinctive identity for units inside the computer network. This specific numeric Identification is composed of 4 sections of numbers, divided by dots. A particular IP range where this particular IP address sits is usually the one from 192.168.0.0 up to 192.168.255.255.
08-11-2020 03:24 AM
complicate solution
ASA: Multi-Context Mode Remote-Access (AnyConnect) VPN
one context for SSL VPN AnyConnect
One context for normal traffic
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200353-ASA-Multi-Context-Mode-Remote-Access-A.html
08-11-2020 05:25 AM
I would consider separate contexts to effectively be separate ASA instances.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide