03-27-2014 07:59 AM
Hi All,
We are configuring an ASA 5510 for remote VPN users using Any Connect.
Our question is:
We have a /29 block of public IP addresses and we want to configure 5 public IP addresses on the Outside interface so that VPN users can use different DDNS logins that terminate on one of the 5 addresses. 1 of the 6 hosts in the subnet is the gateway address to the ISP router.
Any suggestions on how to best achieve this requirement.
Regards,
03-27-2014 03:50 PM
You will not be able to assign 5 public IP addresses specifically to the outside interface of the ASA. Also, I do not understand your statement regarding DDNS logins. What is the business requirement you are trying to satisfy?
03-29-2014 10:52 AM
Hi All,
Just to clarify what we are looking to achieve.
We have users who access the ASA via VPNs using Any Connect. We have created 5 user groups we will just call them A, B, C, D, E. When Group A connects they use for example vpnA.xyz.net and IP address 1.1.1.1. When Group B connect they use for example vpnb.xyz.net and IP Address 2.2.2.2 and so on.
As for DDNS we aware that the ASA does not do DDNS updates and so we either use an internal server or manual entries. The purpose of this is purely to give the users an easy to remember login.
We can use the Global command to map the external IP addresses to the internal subnets, but we are trying to find out if there is another way.
Thanks.
03-29-2014 11:08 AM
What are the different groups used for? Are that different companies or just different departments of one company?
There are so many ways to achieve different VPN-Settings for the users and all of them only work with the one public IP-address your ASA has on the outside interface.
One "typical" way to configure different VPN-settings for different users is the following:
03-29-2014 07:42 PM
Karsten has it right - the way to do what you want is with connection profiles (tunnel-group in the legacy cli command) associated with group policies that customize the user access as desired.
03-28-2014 12:16 AM
first, the ASA doesn't support the HTTP-method of DDNS. So your ASA should have a fixed public IP. Of course you could run a DDNS-client in the internal network, but I wouldn't recommend that.
Then, as already mentioned, the ASA doesn't support the concept of secondary IPs as the router does. You only can configure one IP on the interface.
If I understand you right, you wan't to have multiple VPN configs on one ASA. That can be done with only one address. You configure multiple tunnel-groups, each with a different URL and each one can have a different config and look and feel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide