Setting up an alternative VPN host IP for users to access

Unanswered Question
Aug 29th, 2011

I currently have all my VPN clients connect to the same IP address that I use for all my outgoing traffic to the internet.  I would like my VPN clients to NOT be able to connect to the outgoing traffic IP and instead be able to connect to my new IP dedicated for VPN tunnels and VPN clients.  How can I go about doing this?

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
John Blakley Mon, 08/29/2011 - 11:14

Without knowing more information, I'd just give them the new address. How is your topology laid out? Do you have different blocks of addresses? Have you dedicated one address to a certain appliance that was used for the other?

John

arvo.bowen Mon, 08/29/2011 - 12:04

First off, sorry I forgot to tell you I'm working with an ASA 5505 using the latest ASDM and ASA OS.

I'm confused as to why all that information would be needed to tell me where I might go in the ASDM to set some type of bind setting for the VPN server for my VPN clients or the CLI entry to use to bind the IP address to the VPN server...

But if it helps...

Let's make up some similar information...

My External IP Block is 24.15.1.192/27

The IP I use for all outgoing traffic currently is 24.15.1.204

The IP I have dedicated for VPN usage is 24.15.1.207

Currently IP 207 is not used anywhere on my device (it's not found anywhere in the config file).  That's why I'm asking...  Currently if I told the users to use 207 they would get no response from it.

Thanks

raga.fusionet Mon, 08/29/2011 - 21:15

Arvo,

You can only terminate the VPN user connections on the ASA's public Interface IP address, this would be the IP address of the Interface facing the Internet. You cannot "forward" the VPN traffic to another IP within the ASA itself.

Just out of curiousity, what is the purpose(problem?) of using the diferent IP addresses for both?

Thanks.

Raga

PS: I havent had a chance to respond to your other post. is it resolved?

arvo.bowen Tue, 08/30/2011 - 08:03

First off, I think I got what I needed as far as the other post goes...  I'm still working about the last thing I asked on it but I can now get traffic from 1 place to another, so thanks.

Now on to this issue...  I don't think I'm making myself clear enough hehe.  My ASA would have 2 external IPs.  I want to use 1 for all VPN traffic and 1 for all outgoing traffic...  it has nothing to do with an internal IP or forwarding anything.

raga.fusionet Tue, 08/30/2011 - 08:31

Ah OK I see.

Unfortunately this will not work for VPN Client connections only for Lan to Lan Tunnels. Here is why:

Lets say that you have an interface Outside (IP address 1.1.1.1 with Default gateway 1.1.1.2) and an interface Outside_VPN (IP address 2.2.2.2 with DG 2.2.2.3)

Now your default route will send all the traffic to lets say 1.1.1.2. That's what you have right now.

For the VPN Lan to Lan traffic to be routed thru Outside_VPN you would need to add a route for the remote peer public IP address via 2.2.2.3  and also for the remote site LAN's via 2.2.2.3. Then enable isakmp on the Interface Outside_VPN and disable it on the other one if you need to. And that should do it.

Now, the problem with the VPN clients is that they get different Public IP addresses everytime, depending on where they are connecting from, so you wont be able to add a route to the Client's Public IP address via the Outside_VPN's Default Gateway for the return traffic. You could point the VPN client to the Outside_VPN interface however the ASA will try to respond thru the Outside Interface (not the Outside_VPN) with asymetric routing because of which the ASA will end up dropping the traffic and the client wont get a response.

Unfortunately this is not as easy as it looks .

I hope that this answers your questions.

Have a good one.

Raga

arvo.bowen Tue, 08/30/2011 - 11:51

  Let me be a little clearer just a little more...  hehe

OK so all I'm trying to do is make a dedicated IP to use for INCOMMING VPN requests (24.15.1.207).

For example...

- A client (named VPNPC) a VPN client (outside) wants to connect to my VPN server they will use IP 24.15.1.207.

- A client (named LLPC) on my LAN (inside) goes to google.com the traffic goes out IP 24.15.1.204.

- VPNPC wants to go to google.com the traffic goes out IP 24.15.1.204

I just want the VPN server to LISTEN on a different IP then the main IP of the outside interface.

raga.fusionet Tue, 08/30/2011 - 13:01

yeah, I got you. You cant do that because of two reasons:

1. You cant have two interfaces with diferent IPs on the same subnet (in this case .204 and .207 are on the same subnet if you said that you have a /27)

2. You can enable the VPN server to listen for VPN connections on your second VPN dedicated interface, however since the ASA default gateway points to the next hop of your primary interface (using a route outside 0 0  x.x.x.x) the packets from the VPN negotiation will be dropped. This happens becuase the ASA would recieve a packet on interface # 2 and try to respond thru interface #1 (becuase of the default route). Therefore your client wont get a response.

I hope this clarifies your questions.

arvo.bowen Tue, 08/30/2011 - 13:09

I don't get it...  My DMZ'ed FTP server is on it's own subnet, and I'm doing that right now...  When a user connects to a different IP (24.15.1.205 port 21) I have forwarded to my FTP server (10.71.5.2).  That's how the public gains access to the FTP server.  Yet my FTP server's default outgoing traffic is my primary IP address (24.15.1.204).  That works fine...

raga.fusionet Tue, 08/30/2011 - 13:23

Well, you just said it yourself  "When a user connects to a different IP (24.15.1.205 port 21) I have forwarded to my FTP server (10.71.5.2)". Remember that as I explained earlier you cannot forward the VPN traffic to another IP within the ASA itself.

What you have on the DMZ for your FTP server is a different scenario because you are forwarding traffic to another device on the DMZ subnet (10.71.5.0). The actual IP of the FTP server is something on the 10.71.5.0 subnet that you are forwarding or natting depending on the case to an IP on the public range.

In the setup that you are trying to accomplish with the VPN you dont have a host to forward the traffic too becuase you are terminating the tunnel on the ASA.

Cheers,

Raga

Actions

Login or Register to take actions

This Discussion

Posted August 29, 2011 at 8:27 AM
Stats:
Replies:9 Avg. Rating:
Views:789 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446