Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2772
Views
5
Helpful
5
Replies

MULTIPLE PUBLIC IP ADDRESSES ON OUTSIDE INTERFACE

veltech
Level 1
Level 1

‎03-27-2014 07:59 AM

Hi All,

We are configuring an ASA 5510 for remote VPN users using Any Connect.

Our question is:

We have a /29 block of public IP addresses and we want to configure 5 public IP addresses on the Outside interface so that VPN users can use different DDNS logins that terminate on one of the 5 addresses. 1 of the 6 hosts in the subnet is the gateway address to the ISP router.

Any suggestions on how to best achieve this requirement.

Regards,

 

Labels:
0 Helpful
5 Replies 5

Joe Doran
Level 1
Level 1

‎03-27-2014 03:50 PM

You will not be able to assign 5 public IP addresses specifically to the outside interface of the ASA. Also, I do not understand your statement regarding DDNS logins. What is the business requirement you are trying to satisfy?

0 Helpful

veltech
Level 1
Level 1
In response to Joe Doran

‎03-29-2014 10:52 AM

Hi All,

Just to clarify what we are looking to achieve.

We have users who access the ASA via VPNs using Any Connect. We have created 5 user groups we will just call them A, B, C, D, E. When Group A connects they use for example vpnA.xyz.net and IP address 1.1.1.1. When Group B connect they use for example vpnb.xyz.net and IP Address 2.2.2.2 and so on.

As for DDNS we aware that the ASA does not do DDNS updates and so we either use an internal server or manual entries. The purpose of this is purely to give the users an easy to remember login.

We can use the Global command to map the external IP addresses to the internal subnets, but we are trying to find out if there is another way.

 

Thanks. 

 

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to veltech

‎03-29-2014 11:08 AM

What are the different groups used for? Are that different companies or just different departments of one company?

There are so many ways to achieve different VPN-Settings for the users and all of them only work with the one public IP-address your ASA has on the outside interface.

One "typical" way to configure different VPN-settings for different users is the following:

  1. You configure one tunnel-group with the needed authentication-settings. The assigned group-policy only has the needed tunnel-protocol configured like sssl-client.
  2. For each department you configure one group-policy with all needed parameters like split tunnel, VPN-filter, banner, DNS/WINS-servers domain and so on.
  3. Your users get one of these group-policies assigned. That can be done with local authentication in the user-acount, or more scalable through a central RADIUS-server which can be the Windows NPS to authenticate the domain-users.

 

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to veltech

‎03-29-2014 07:42 PM

Karsten has it right - the way to do what you want is with connection profiles (tunnel-group in the legacy cli command) associated with group policies that customize the user access as desired.

0 Helpful

Karsten Iwen
VIP
VIP

‎03-28-2014 12:16 AM

first, the ASA doesn't support the HTTP-method of DDNS. So your ASA should have a fixed public IP. Of course you could run a DDNS-client in the internal network, but I wouldn't recommend that.

Then, as already mentioned, the ASA doesn't support the concept of secondary IPs as the router does. You only can configure one IP on the interface.

If I understand you right, you wan't to have multiple VPN configs on one ASA. That can be done with only one address. You configure multiple tunnel-groups, each with a different URL and each one can have a different config and look and feel.

0 Helpful
Customers Also Viewed These Support Documents