06-06-2008 12:31 PM - edited 02-21-2020 03:45 PM
Here is the problem:
Users have 1 VPN profile, but need to be able to establish VPN connections on two different interfaces of an ASA (depending on whether they are internal or external at the time).
The profile points to vpn.corp.com.
Does anyone have a good solution to this problem?
The obvious one is to have a DNS server return two different IP's for vpn.corp.com depending on which interface the user is on.
Thanks in advance for replies.
06-06-2008 06:02 PM
The DNS approach you mentioned seems to be the most reasonable one. Others could be:
1) Use two different profiles
2) Perhaps use two different hostnames (and put the second as a Backup VPN gateway), based on where the user is currently on the network only one should be functional, but I'm not sure if this will even work...never tried it.
Regards
Farrukh
06-19-2008 01:37 PM
Here is the solution to the problem.
So if you want to be able to use 1 profile in the Cisco IPsec client, or to use one standard URL to establish SSL VPN connections, REGARDLESS of the ASA interface involved, here is what you do:
A service policy can be setup to rewrite DNS replies. So depending on what interface the client is using, the ASA will rewrite a dns reply to point to the corresponding interface on the firewall.
I used the alias command to do it.
06-20-2008 03:51 AM
Thanks for the update. A DNS-related solution was not given because you wrote:
"The obvious one is to have a DNS server return two different IP's for vpn.corp.com depending on which interface the user is on. "
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: