Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

aa
New Member

2 interfaces 1 vpn profile

Here is the problem:

Users have 1 VPN profile, but need to be able to establish VPN connections on two different interfaces of an ASA (depending on whether they are internal or external at the time).

The profile points to vpn.corp.com.

Does anyone have a good solution to this problem?

The obvious one is to have a DNS server return two different IP's for vpn.corp.com depending on which interface the user is on.

Thanks in advance for replies.

3 REPLIES

Re: 2 interfaces 1 vpn profile

The DNS approach you mentioned seems to be the most reasonable one. Others could be:

1) Use two different profiles

2) Perhaps use two different hostnames (and put the second as a Backup VPN gateway), based on where the user is currently on the network only one should be functional, but I'm not sure if this will even work...never tried it.

Regards

Farrukh

aa
New Member

Re: 2 interfaces 1 vpn profile

Here is the solution to the problem.

So if you want to be able to use 1 profile in the Cisco IPsec client, or to use one standard URL to establish SSL VPN connections, REGARDLESS of the ASA interface involved, here is what you do:

A service policy can be setup to rewrite DNS replies. So depending on what interface the client is using, the ASA will rewrite a dns reply to point to the corresponding interface on the firewall.

I used the alias command to do it.

Re: 2 interfaces 1 vpn profile

Thanks for the update. A DNS-related solution was not given because you wrote:

"The obvious one is to have a DNS server return two different IP's for vpn.corp.com depending on which interface the user is on. "

Regards

Farrukh

117
Views
5
Helpful
3
Replies