2 interfaces 1 vpn profile

aa · ‎06-06-2008

Here is the problem:

Users have 1 VPN profile, but need to be able to establish VPN connections on two different interfaces of an ASA (depending on whether they are internal or external at the time).

The profile points to vpn.corp.com.

Does anyone have a good solution to this problem?

The obvious one is to have a DNS server return two different IP's for vpn.corp.com depending on which interface the user is on.

Thanks in advance for replies.

Farrukh Haroon · ‎06-06-2008

The DNS approach you mentioned seems to be the most reasonable one. Others could be:

1) Use two different profiles

2) Perhaps use two different hostnames (and put the second as a Backup VPN gateway), based on where the user is currently on the network only one should be functional, but I'm not sure if this will even work...never tried it.

Regards

Farrukh

aa · ‎06-19-2008

Here is the solution to the problem.

So if you want to be able to use 1 profile in the Cisco IPsec client, or to use one standard URL to establish SSL VPN connections, REGARDLESS of the ASA interface involved, here is what you do:

A service policy can be setup to rewrite DNS replies. So depending on what interface the client is using, the ASA will rewrite a dns reply to point to the corresponding interface on the firewall.

I used the alias command to do it.

Farrukh Haroon · ‎06-20-2008

Thanks for the update. A DNS-related solution was not given because you wrote:

"The obvious one is to have a DNS server return two different IP's for vpn.corp.com depending on which interface the user is on. "

Regards

Farrukh