Setting up an alternative VPN host IP for users to access

Unanswered Question
Aug 29th, 2011
User Badges:

I currently have all my VPN clients connect to the same IP address that I use for all my outgoing traffic to the internet.  I would like my VPN clients to NOT be able to connect to the outgoing traffic IP and instead be able to connect to my new IP dedicated for VPN tunnels and VPN clients.  How can I go about doing this?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Mon, 08/29/2011 - 11:14
User Badges:
  • Purple, 4500 points or more

Without knowing more information, I'd just give them the new address. How is your topology laid out? Do you have different blocks of addresses? Have you dedicated one address to a certain appliance that was used for the other?


Arvo Bowen Mon, 08/29/2011 - 12:04
User Badges:

First off, sorry I forgot to tell you I'm working with an ASA 5505 using the latest ASDM and ASA OS.

I'm confused as to why all that information would be needed to tell me where I might go in the ASDM to set some type of bind setting for the VPN server for my VPN clients or the CLI entry to use to bind the IP address to the VPN server...

But if it helps...

Let's make up some similar information...

My External IP Block is

The IP I use for all outgoing traffic currently is

The IP I have dedicated for VPN usage is

Currently IP 207 is not used anywhere on my device (it's not found anywhere in the config file).  That's why I'm asking...  Currently if I told the users to use 207 they would get no response from it.


raga.fusionet Mon, 08/29/2011 - 21:15
User Badges:
  • Silver, 250 points or more


You can only terminate the VPN user connections on the ASA's public Interface IP address, this would be the IP address of the Interface facing the Internet. You cannot "forward" the VPN traffic to another IP within the ASA itself.

Just out of curiousity, what is the purpose(problem?) of using the diferent IP addresses for both?



PS: I havent had a chance to respond to your other post. is it resolved?

Arvo Bowen Tue, 08/30/2011 - 08:03
User Badges:

First off, I think I got what I needed as far as the other post goes...  I'm still working about the last thing I asked on it but I can now get traffic from 1 place to another, so thanks.

Now on to this issue...  I don't think I'm making myself clear enough hehe.  My ASA would have 2 external IPs.  I want to use 1 for all VPN traffic and 1 for all outgoing traffic...  it has nothing to do with an internal IP or forwarding anything.

raga.fusionet Tue, 08/30/2011 - 08:31
User Badges:
  • Silver, 250 points or more

Ah OK I see.

Unfortunately this will not work for VPN Client connections only for Lan to Lan Tunnels. Here is why:

Lets say that you have an interface Outside (IP address with Default gateway and an interface Outside_VPN (IP address with DG

Now your default route will send all the traffic to lets say That's what you have right now.

For the VPN Lan to Lan traffic to be routed thru Outside_VPN you would need to add a route for the remote peer public IP address via  and also for the remote site LAN's via Then enable isakmp on the Interface Outside_VPN and disable it on the other one if you need to. And that should do it.

Now, the problem with the VPN clients is that they get different Public IP addresses everytime, depending on where they are connecting from, so you wont be able to add a route to the Client's Public IP address via the Outside_VPN's Default Gateway for the return traffic. You could point the VPN client to the Outside_VPN interface however the ASA will try to respond thru the Outside Interface (not the Outside_VPN) with asymetric routing because of which the ASA will end up dropping the traffic and the client wont get a response.

Unfortunately this is not as easy as it looks .

I hope that this answers your questions.

Have a good one.


Arvo Bowen Tue, 08/30/2011 - 11:51
User Badges:

  Let me be a little clearer just a little more...  hehe

OK so all I'm trying to do is make a dedicated IP to use for INCOMMING VPN requests (

For example...

- A client (named VPNPC) a VPN client (outside) wants to connect to my VPN server they will use IP

- A client (named LLPC) on my LAN (inside) goes to the traffic goes out IP

- VPNPC wants to go to the traffic goes out IP

I just want the VPN server to LISTEN on a different IP then the main IP of the outside interface.

raga.fusionet Tue, 08/30/2011 - 13:01
User Badges:
  • Silver, 250 points or more

yeah, I got you. You cant do that because of two reasons:

1. You cant have two interfaces with diferent IPs on the same subnet (in this case .204 and .207 are on the same subnet if you said that you have a /27)

2. You can enable the VPN server to listen for VPN connections on your second VPN dedicated interface, however since the ASA default gateway points to the next hop of your primary interface (using a route outside 0 0  x.x.x.x) the packets from the VPN negotiation will be dropped. This happens becuase the ASA would recieve a packet on interface # 2 and try to respond thru interface #1 (becuase of the default route). Therefore your client wont get a response.

I hope this clarifies your questions.

Arvo Bowen Tue, 08/30/2011 - 13:09
User Badges:

I don't get it...  My DMZ'ed FTP server is on it's own subnet, and I'm doing that right now...  When a user connects to a different IP ( port 21) I have forwarded to my FTP server (  That's how the public gains access to the FTP server.  Yet my FTP server's default outgoing traffic is my primary IP address (  That works fine...

raga.fusionet Tue, 08/30/2011 - 13:23
User Badges:
  • Silver, 250 points or more

Well, you just said it yourself  "When a user connects to a different IP ( port 21) I have forwarded to my FTP server (". Remember that as I explained earlier you cannot forward the VPN traffic to another IP within the ASA itself.

What you have on the DMZ for your FTP server is a different scenario because you are forwarding traffic to another device on the DMZ subnet ( The actual IP of the FTP server is something on the subnet that you are forwarding or natting depending on the case to an IP on the public range.

In the setup that you are trying to accomplish with the VPN you dont have a host to forward the traffic too becuase you are terminating the tunnel on the ASA.




This Discussion