Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
772
Views
1
Helpful
3
Replies

Remote access VPN options for two different domains to same box

Go to solution
TerenceLockette
Level 1
Level 1

‎12-01-2025 12:44 PM

Hello all,

We have a pair of 2140 FTDs running 7.4.2.4 that's strictly used as VPN headends. Currently, the main business terminates to the appliance on it's public domain with no problems. However, the challenge I'm facing is that we have a separate entity that currently terminates to a pair of ASAs which are going EoL/EoS and we want to consolidate them onto our 2140 FTDs. The issue is that they have their own separate public domain. Unfortunately, we can't use multiple certificates to the same VPN access interface nor can we add a 2nd outside interface in a non-global VRF as FMC throws an error saying it has to be from an interface in the global VRF. We think we may be in a situation where we may have to force the entity to use our public domain but there may be contractual requirements to use separate domains. One of the things I attempted to do was add a CNAME in DNS that points to the main businesses public DNS record but Secure Client gives a cert error/warning since the domains are different. What options do I have at this point to consolidate these remote access VPNs to the same box that I could be overlooking?

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
TerenceLockette
Level 1
Level 1

‎12-01-2025 01:39 PM

To maybe answer my own question. Would it work if I added a 2nd outside interface & zone and then add that as a second access interface using the different certs for the interface specific identity cert option rather than using the SSL global identity cert? So I would configure something like the following:

VPN-Outside = 1.1.1.1/24 --> Main Org Identity Cert

VPN-Outside2 = 2.2.2.2/24 --> Entity Identity Cert

Any thoughts on this?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
TerenceLockette
Level 1
Level 1

‎12-01-2025 01:39 PM

To maybe answer my own question. Would it work if I added a 2nd outside interface & zone and then add that as a second access interface using the different certs for the interface specific identity cert option rather than using the SSL global identity cert? So I would configure something like the following:

VPN-Outside = 1.1.1.1/24 --> Main Org Identity Cert

VPN-Outside2 = 2.2.2.2/24 --> Entity Identity Cert

Any thoughts on this?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to TerenceLockette

‎12-02-2025 03:18 AM

I can't see why not, as you said, you can associate a different trustpoint to the secondary outside interface and use it for the ASAs domain.

0 Helpful

Go to solution
TerenceLockette
Level 1
Level 1

‎12-02-2025 03:16 AM

The above solution worked as I thought. I was able to specify multiple access interfaces and assign an identity cert to each of those specific interfaces. I tested it out in a lab and confirmed it to work while keeping both sides of the business using the respective public-facing domains.

Customers Also Viewed These Support Documents