Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
3
Replies

Configuring multiple WebVPN portals

bhpci
Level 1
Level 1

‎11-25-2008 06:38 AM - edited ‎02-21-2020 03:07 AM

Here is the situation...I have an ASA 5520 in single context mode and I need to configure multiple inbound WebVPN portals for different clients. What is the best way to accomplish this? On my outside interface I have a public IP. If I try to add a subinterface with an IP in the same subnet it tells me it can't overlap the subnet on the outside. I have other public IPs issued from my ISP that I could create a subinterface with, but I'm not sure if that is the way to go. From my reading I have learned there are probably multiple ways to accomplish this.

1. By taking the IP address off the physical outside INT and creating multiple subinterfaces (will this allow me to use multiple public IPs on the same subnet - in an effort to conserve public IPs?)

2. Create a subinterface with a seperate public IP address (Is this viable? I'm not sure how you would configure the ASA so it would know where to send outbound traffic because of the default route stating to use the original outside interface)

3. By going to multiple context mode (I'm licensed for 2)

is there another way to accomplish this? thanks for your help.

0 Helpful
3 Replies 3

Jason Gervia
Cisco Employee
Cisco Employee

‎11-25-2008 07:16 AM

Hello,

Multi context mode doesn't support VPN, so that's out. What you are trying to accomplish can be done via group-url:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml

0 Helpful

bhpci
Level 1
Level 1
In response to Jason Gervia

‎11-25-2008 07:59 AM

Is that the only way to accompish this? For security reasons we do not want clients to be able to see each other, even if only in a drop down menu. Also, we already have multiple group policies and connection profiles set up that are assigned by their user name and location in Active Directory.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to bhpci

‎11-26-2008 04:51 AM

Just use the following link to make the portals:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a008094abcb.shtml

Then map them to each user group. By default web-vpn users (not SSL client) cannot see each other. They never really become part of your network like regular VPN (IPSEC or SSL thick client).

Regards

Farrukh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card