ASA Multiple Interface IP's For VPN Peer Address Migration

David Dobbs · ‎06-18-2007

I currently have an ASA5520 as my firewall and a 3005 VPN Concentrator in front of the firewall terminating VPN tunnels with a public peer address of say 1.2.3.4. The ASA 5520 also has a public IP address (say 1.2.3.6) in the same subnet as the public IP of the 3005 but on a separate physical interface on the ASA for direct access to the firewall for other Internet traffic.

We are wanting to consolodate the separate VPN and firewall functions into the ASA (getting rid of the 3005 and moving the VPN function to the ASA). The problem is we have a lot of customers using the 1.2.3.4 address(3005 public IP) to terminate their VPN tunnels. To have our customers all reconfigure their VPN tunnels would be a very large task.

So the question is can I have one physical ASA interface sharing multiple IP addresses--have 1.2.3.4 and 1.2.3.6 on the same physical interface (like a secondary IP but the peer VPN device would have to see the IP as 1.2.3.4)?

Thanks for the help.

JBDanford2002 · ‎06-18-2007

Are the IP addresses hard coded or are you using DNS? You could start by migrating your users with a pcf file. (http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_administration_guide_chapter09186a00800bd98d.html)

Are your users on Active Directory?

Depending on how you do it you could script for the file to be downloaded through AD by OU or whatever method you use. This would migrate your users as you choose. Secondary IP wont be possible.

David Dobbs · ‎06-19-2007

Thanks for the reply. I guess I wasn't specific enough on the VPN type. The VPN is a lan-to-lan VPN with our business partners using PSK. The peer address of the VPN on our end is hard coded as an IP address.