05-12-2009 02:21 PM - edited 03-11-2019 08:31 AM
I need to have two external ip addresses configured on the ASA Outside interface. Both ip addresses will be on the same subnet and one will have VPNs terminated on it. I know it would be easier to just terminate everything on a single IP, but I have VPN peers that simply refuse to change the IP address on their side of the tunnel.
Is there a "secondary" ip address command or something similar that will enable me to do this?
05-12-2009 02:27 PM
Jim
As far as i know ASA does not support secondary addressing but even if it did it probably still wouldn't work as you are trying to apply 2 addresses from the same subnet.
Is there a reason you can't just stick with the IP address that is used for VPN peers.
Jon
05-12-2009 02:44 PM
Thanks, Jon. That is what I needed to know (back to the drawing board).
Two IP addresses on the outside would have helped me with a political issue (one group insists on 1 ip and another group already has their VPNs terminated to a different IP). As you can probably guess, no one wants to budge and they definetly don't want to share an ip.
05-12-2009 02:46 PM
Jim
How about charging the most unreasonable group for a new ASA :-)
Jon
05-15-2009 08:09 AM
what about splitting up the subnet you have? if you have another interface/VLAN you can use give it that IP
05-15-2009 12:35 PM
Jim
Perhaps it is possible to satisfy both groups. The VPN peer needs to be the interface address and I do not know much way around that. But I am not convinced that the second address for the second group needs to also be an interface address. You can use the second address in the subnet for address translation without it being an interface address. You just use that address in an address pool and translate traffic from the second group using that pool address.
Looks to me like both groups can feel like they won: the VPN works using the address that they do not have to change, and the traffic from the second group uses "their" address when it goes to the Internet.
HTH
Rick
05-15-2009 05:28 PM
Rick I was going to suggest that very same thing.
05-16-2009 01:32 PM
Patrick
I am glad that we both believe that this may be a solution for Jim. I look forward to a response from him telling us whether this does resolve his issue.
HTH
Rick
06-03-2009 03:58 PM
I'm really sorry for hijacking this thread but I, too, am interested in Jim's feedback on whether this worked or not.
I will have very similar requirement so would like to understand how it works. Am I right in thinking that a destination NAT rule inside the ASA can redirect the VPN packets to any ASA interface address?
Or I could, in theory, configure the DMZ interface for VPN termination and have packets destined for the DMZ interface enter the ASA through the Outside interface?
Again, sorry for the interruption, but as this is related I thought it better to keep this topic going rather than create a new one
Thanks
LP
06-04-2009 11:42 AM
Two groups.
One group's purpose is vpn termination on the ASA.
What is other group intending to do? It is not clear.
If they want to translate everyone on the inside to look like another IP on the outside then, it is very simple nat/global to a diff. IP or static 1-1 if it is a server that they would like to reach from the internet.
Pls. clarify on the second group's requirement.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: