One ASA with two Outside Interfaces for SSL VPN

cisco_jr · ‎02-01-2023

I have a requirment for implmenting SSL VPN for two diffrent profiles using two diffrent outside interfaces on the same ASA.

Example:

Anyconnect Profile 1 = windows

Anyconnect Profile 2 = mac

I have two outside interfaces with internet access

Outside == 1.1.1.1 = attach Profile 1

Outside2 == 2.2.2.2 = attach Profile 2

For Example, when a user initiate a connection to

winvpn.example.com = the user will connect the windows profile, which will be attched to the outside interface

macvpn.example.com = the user will connect the mac profile, which will be attched to the outside2 interface

I know there is an easy way to do this with "A" DNS records, but that option is not avilable with Frontend DNS loadbalcer we are using, which requires cname forwarding.

I will greately appreciate for any insights/inputs.

We are using Azure Traffic Manager

Rob Ingram · ‎02-01-2023

@cisco_jr you can enable VPN on multiple interfaces, BUT routing will be a problem, the ASA is not intelligent enough to know which interface the connection arrived on and return via the same interface. So the connection may come in on "outside2" but would be routed via the default route, which could be "outside". The best you can do is have all connections on "outside" interface, if that fails use SLA to failover the ASA default route via "outside2". The client computers would need to be configured with a profile to point to the FQDN of the "outside" interface, if that fails there would be a backup connection profile pointing to the FQDN of "outside2".

balaji.bandi · ‎02-01-2023

you can do with your Azzure : Depends on how the outside presenting and LB tanslate automatically inside IP ?

what is the challange you see here ?

https://learn.microsoft.com/en-us/azure/app-service/configure-domain-traffic-manager

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cisco_jr · ‎02-01-2023

This is my challenge

With "A" type of DNS records, i can connect to both Anyconnect profiles listed below on the same outside interface. An "A" type of DNS record keeps the forward slash / path (or profile/tunnel name) for the SSL VPN request. This allow users to connect to their required/diffrent profiles.

vpn.example.com/win

vpn.example.com/mac

However, we are planning to leverage Azure Traffic Manager (ATM), which is a DNS based routing service ('Performance' traffic-routing method) to leverage the ATM features, including health checks, HA, and performance based redirection (with a pool of ASAvs). For this, ATM requies a CNAME DNS record pointing to the ATM DNS name.

Example: The CNAME DNS record looks like this

CNAME = vpn.example.com ---> points to --->atm.microsoft.com

So, if you initiate a VPN connection to vpn.example.com, ATM works just fine, it will connects you to the correct ASA in the pool and default windows Anyconnect profile. However, if you try to connect to:

vpn.example.com/mac

I get an error "connection attempt has failed" error. And i am thinking maybe this is beacuse CNAME DNS record doesn't understand the forward slash / path (or profile/tunnel name), which i think is not an issue with type "A" DNS records.

Thoughts?

MHM Cisco World · ‎02-01-2023

since you can use URL you can use group-url for same Outside interface
as show below
https://integratingit.wordpress.com/2022/03/23/asa-group-url-and-alias/

cisco_jr · ‎02-01-2023

Yes, that will work with type "A" DNS records but not with CNAME records. That is my challenge.

MHM Cisco World · ‎02-01-2023

there is two method
group-url <<- which you mention that can not use it because of DNS CNAME recored
group-alias <<- this you can use
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html

Rob Ingram · ‎02-01-2023

@cisco_jr regardless whether you use group url or alias, routing will be a problem. You can only have a default route via 1 interface. So if the default route is via "outside" and a VPN connection comes in via "outside2" the return traffic will go via the "outside" interface.

ECMP (traffic zones) with VPN is not supported.

MHM Cisco World · ‎02-01-2023

same Outside interface <<- I mention this in my previous post, he can use group-url or group-alias for same outside interface,
this give him two group

one group for Win
other group for Mac

Rob Ingram · ‎02-01-2023

@MHM Cisco World sure I am aware of that. The original request was to use 2 outside interfaces, I am providing information why that will not work.

cisco_jr · ‎02-01-2023

"So if the default route is via "outside" and a VPN connection comes in via "outside2" the return traffic will go via the "outside"

Therefore the VPN connection attempt via outside2 will fail or throw an error?

MHM Cisco World · ‎02-01-2023

@Rob Ingram if I can answer him
if the enter point different than exit point then there is chance that ASA drop the traffic.
even if anyconnect is VPN still ASA save in DB the Conn/ xlate and inspection of traffic.

cisco_jr · ‎02-01-2023

WIll the group-alias work with SAML/SSO authentication?

Rob Ingram · ‎02-01-2023

@cisco_jr it will fail.

Yes, it will work with SAML/SSO, it will be confgured under the tunnel-group.

MHM Cisco World · ‎02-01-2023

Yes as @Rob Ingram mention it work with SAML/SSO