I currently have all my VPN clients connect to the same IP address that I use for all my outgoing traffic to the internet. I would like my VPN clients to NOT be able to connect to the outgoing traffic IP and instead be able to connect to my new IP dedicated for VPN tunnels and VPN clients. How can I go about doing this?
Without knowing more information, I'd just give them the new address. How is your topology laid out? Do you have different blocks of addresses? Have you dedicated one address to a certain appliance that was used for the other?
First off, sorry I forgot to tell you I'm working with an ASA 5505 using the latest ASDM and ASA OS.
I'm confused as to why all that information would be needed to tell me where I might go in the ASDM to set some type of bind setting for the VPN server for my VPN clients or the CLI entry to use to bind the IP address to the VPN server...
But if it helps...
Let's make up some similar information...
My External IP Block is 126.96.36.199/27
The IP I use for all outgoing traffic currently is 188.8.131.52
The IP I have dedicated for VPN usage is 184.108.40.206
Currently IP 207 is not used anywhere on my device (it's not found anywhere in the config file). That's why I'm asking... Currently if I told the users to use 207 they would get no response from it.
You can only terminate the VPN user connections on the ASA's public Interface IP address, this would be the IP address of the Interface facing the Internet. You cannot "forward" the VPN traffic to another IP within the ASA itself.
Just out of curiousity, what is the purpose(problem?) of using the diferent IP addresses for both?
PS: I havent had a chance to respond to your other post. is it resolved?
First off, I think I got what I needed as far as the other post goes... I'm still working about the last thing I asked on it but I can now get traffic from 1 place to another, so thanks.
Now on to this issue... I don't think I'm making myself clear enough hehe. My ASA would have 2 external IPs. I want to use 1 for all VPN traffic and 1 for all outgoing traffic... it has nothing to do with an internal IP or forwarding anything.
Ah OK I see.
Unfortunately this will not work for VPN Client connections only for Lan to Lan Tunnels. Here is why:
Lets say that you have an interface Outside (IP address 220.127.116.11 with Default gateway 18.104.22.168) and an interface Outside_VPN (IP address 22.214.171.124 with DG 126.96.36.199)
Now your default route will send all the traffic to lets say 188.8.131.52. That's what you have right now.
For the VPN Lan to Lan traffic to be routed thru Outside_VPN you would need to add a route for the remote peer public IP address via 184.108.40.206 and also for the remote site LAN's via 220.127.116.11. Then enable isakmp on the Interface Outside_VPN and disable it on the other one if you need to. And that should do it.
Now, the problem with the VPN clients is that they get different Public IP addresses everytime, depending on where they are connecting from, so you wont be able to add a route to the Client's Public IP address via the Outside_VPN's Default Gateway for the return traffic. You could point the VPN client to the Outside_VPN interface however the ASA will try to respond thru the Outside Interface (not the Outside_VPN) with asymetric routing because of which the ASA will end up dropping the traffic and the client wont get a response.
Unfortunately this is not as easy as it looks .
I hope that this answers your questions.
Have a good one.
Let me be a little clearer just a little more... hehe
OK so all I'm trying to do is make a dedicated IP to use for INCOMMING VPN requests (18.104.22.168).
- A client (named VPNPC) a VPN client (outside) wants to connect to my VPN server they will use IP 22.214.171.124.
- A client (named LLPC) on my LAN (inside) goes to google.com the traffic goes out IP 126.96.36.199.
- VPNPC wants to go to google.com the traffic goes out IP 188.8.131.52
I just want the VPN server to LISTEN on a different IP then the main IP of the outside interface.
yeah, I got you. You cant do that because of two reasons:
1. You cant have two interfaces with diferent IPs on the same subnet (in this case .204 and .207 are on the same subnet if you said that you have a /27)
2. You can enable the VPN server to listen for VPN connections on your second VPN dedicated interface, however since the ASA default gateway points to the next hop of your primary interface (using a route outside 0 0 x.x.x.x) the packets from the VPN negotiation will be dropped. This happens becuase the ASA would recieve a packet on interface # 2 and try to respond thru interface #1 (becuase of the default route). Therefore your client wont get a response.
I hope this clarifies your questions.
I don't get it... My DMZ'ed FTP server is on it's own subnet, and I'm doing that right now... When a user connects to a different IP (184.108.40.206 port 21) I have forwarded to my FTP server (10.71.5.2). That's how the public gains access to the FTP server. Yet my FTP server's default outgoing traffic is my primary IP address (220.127.116.11). That works fine...
Well, you just said it yourself "When a user connects to a different IP (18.104.22.168 port 21) I have forwarded to my FTP server (10.71.5.2)". Remember that as I explained earlier you cannot forward the VPN traffic to another IP within the ASA itself.
What you have on the DMZ for your FTP server is a different scenario because you are forwarding traffic to another device on the DMZ subnet (10.71.5.0). The actual IP of the FTP server is something on the 10.71.5.0 subnet that you are forwarding or natting depending on the case to an IP on the public range.
In the setup that you are trying to accomplish with the VPN you dont have a host to forward the traffic too becuase you are terminating the tunnel on the ASA.