Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1613
Views
3
Helpful
5
Replies

ASA: Use alternative IP address for VPN connections

lmark
Level 1
Level 1

‎10-05-2010 04:43 AM

Hi Magnus,

our ASA is located behind an access router. The transfer network between the router
and the ASA uses private IP addresses. The access router routes a network of public
ip addresses to our ASA.
I want to assign a public IP address to the ASA and use this address to
set up some VPN tunnels to our branches.

I wonder if the ASA can establish VPN connections using an IP address
that is different from the IP address of the outside interface. Furthermore

the ASA should answer VPN setup requests to the public IP address.

Regards,

Mark

Labels:
0 Helpful
5 Replies 5

Panos Kampanakis
Cisco Employee
Cisco Employee

‎10-05-2010 08:21 AM

I do not think this is do-able. But I would suggest to ask this question in the VPN forum to double check.

I hope it helps.

PK

0 Helpful

lmark
Level 1
Level 1

‎10-11-2010 08:49 AM

Are there no ideas?

I wonder if one can configure a kind of "virtual ip address"

like in a redundant setup or in a cluster configuration.

0 Helpful

hdashnau
Cisco Employee
Cisco Employee

‎10-11-2010 09:15 AM

Yes, this is possible; you will have NAT on your "outside" router translating the ASA private IP address to a public IP address so hosts on the Internet have a public IP to reach the ASA at and the ASA will accept the VPN on the "private" address. On the ASA to accomodate the NAT thats happening on the router, you will need to add the command "isakmp nat-traversal" (Verify with sh run all | include isakmp nat-traversal). The VPN connections will negotiate to UDP 4500 once NAT is detected.

Please remember to rate all of the posts and mark the question as resolved if this addressed the issue.

0 Helpful

jan.nielsen
Level 7
Level 7
In response to hdashnau

‎10-11-2010 10:39 AM

You can configure a vpn cluster, with just one node, and the use another private address for that, then you can do a NAT to that private address in your router, but the proper way would be to make your isp change the transport network to the public range instead, still you need the vpn cluster to use another address to terminate vpns on the asa. Also this only works for IPSec based vpn, i'm not 100% sure about ssl based vpn.

lmark
Level 1
Level 1
In response to jan.nielsen

‎10-26-2010 07:07 AM

Nice idea. But I'll follow your comment to better use a public IP address on the outside interface.

Regrettably there seems to be no solution, to use an alternative or virtual ip address

for the vpn tunnel endpoint.

Thanks for all answers.

Regards,

Mark

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents