cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
711
Views
0
Helpful
9
Replies

How to configure 2 external IPs on ASA Outside Interface

jim_berlow
Level 3
Level 3

I need to have two external ip addresses configured on the ASA Outside interface. Both ip addresses will be on the same subnet and one will have VPNs terminated on it. I know it would be easier to just terminate everything on a single IP, but I have VPN peers that simply refuse to change the IP address on their side of the tunnel.

Is there a "secondary" ip address command or something similar that will enable me to do this?

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

Jim

As far as i know ASA does not support secondary addressing but even if it did it probably still wouldn't work as you are trying to apply 2 addresses from the same subnet.

Is there a reason you can't just stick with the IP address that is used for VPN peers.

Jon

Thanks, Jon. That is what I needed to know (back to the drawing board).

Two IP addresses on the outside would have helped me with a political issue (one group insists on 1 ip and another group already has their VPNs terminated to a different IP). As you can probably guess, no one wants to budge and they definetly don't want to share an ip.

Jim

How about charging the most unreasonable group for a new ASA :-)

Jon

what about splitting up the subnet you have? if you have another interface/VLAN you can use give it that IP

Jim

Perhaps it is possible to satisfy both groups. The VPN peer needs to be the interface address and I do not know much way around that. But I am not convinced that the second address for the second group needs to also be an interface address. You can use the second address in the subnet for address translation without it being an interface address. You just use that address in an address pool and translate traffic from the second group using that pool address.

Looks to me like both groups can feel like they won: the VPN works using the address that they do not have to change, and the traffic from the second group uses "their" address when it goes to the Internet.

HTH

Rick

HTH

Rick

Rick I was going to suggest that very same thing.

Patrick

I am glad that we both believe that this may be a solution for Jim. I look forward to a response from him telling us whether this does resolve his issue.

HTH

Rick

HTH

Rick

I'm really sorry for hijacking this thread but I, too, am interested in Jim's feedback on whether this worked or not.

I will have very similar requirement so would like to understand how it works. Am I right in thinking that a destination NAT rule inside the ASA can redirect the VPN packets to any ASA interface address?

Or I could, in theory, configure the DMZ interface for VPN termination and have packets destined for the DMZ interface enter the ASA through the Outside interface?

Again, sorry for the interruption, but as this is related I thought it better to keep this topic going rather than create a new one

Thanks

LP

Two groups.

One group's purpose is vpn termination on the ASA.

What is other group intending to do? It is not clear.

If they want to translate everyone on the inside to look like another IP on the outside then, it is very simple nat/global to a diff. IP or static 1-1 if it is a server that they would like to reach from the internet.

Pls. clarify on the second group's requirement.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: