Solved: Re: Multiple SSL on ASA-5506-X with 9.7

Kerry Kriegel · ‎10-06-2017

Hi,

I have several ASA's with a /28 on a single "outside" interface.

We host individual customer servers, using private addressing, on each inside interface - ifname Company-X

We are trying to setup each company with their own AnyConnect client ssl that will be answered by one of the /28 ip addresses.

i.e. vpn.mycompany.com resolves to w.x.y.1

i.e. vpn.company-A.com resolves to w.x.y.3

ie. vpn.company-B.com resolves to w.x.y.5

etc.

I have seen some posts (circa 2012-14) indicating that this can NOT be done because there is only one ssl per interface. Others indicate that there are ways that "should work".

Has anyone actually done this?

Using what methodology?

Any assistance is greatly appreciated.

Mohammed al Baqari · ‎10-07-2017

You can achieve this using Group-URL, you can match the fqdn used to
connect to vpn server (ASA) and allocate the corresponding group-policy
automatically

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

View solution in original post

Karsten Iwen · ‎10-06-2017

Also today, VPNs are terminated on the outside IP of the ASA. But you can use different FQDNs that point to this same address and also different certificates for each FQDN.

Mohammed al Baqari · ‎10-07-2017

You can achieve this using Group-URL, you can match the fqdn used to
connect to vpn server (ASA) and allocate the corresponding group-policy
automatically

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html