10-05-2010 04:43 AM
Hi Magnus,
our ASA is located behind an access router. The transfer network between the router
and the ASA uses private IP addresses. The access router routes a network of public
ip addresses to our ASA.
I want to assign a public IP address to the ASA and use this address to
set up some VPN tunnels to our branches.
I wonder if the ASA can establish VPN connections using an IP address
that is different from the IP address of the outside interface. Furthermore
the ASA should answer VPN setup requests to the public IP address.
Regards,
Mark
10-05-2010 08:21 AM
I do not think this is do-able. But I would suggest to ask this question in the VPN forum to double check.
I hope it helps.
PK
10-11-2010 08:49 AM
Are there no ideas?
I wonder if one can configure a kind of "virtual ip address"
like in a redundant setup or in a cluster configuration.
10-11-2010 09:15 AM
Yes, this is possible; you will have NAT on your "outside" router translating the ASA private IP address to a public IP address so hosts on the Internet have a public IP to reach the ASA at and the ASA will accept the VPN on the "private" address. On the ASA to accomodate the NAT thats happening on the router, you will need to add the command "isakmp nat-traversal" (Verify with sh run all | include isakmp nat-traversal). The VPN connections will negotiate to UDP 4500 once NAT is detected.
Please remember to rate all of the posts and mark the question as resolved if this addressed the issue.
10-11-2010 10:39 AM
You can configure a vpn cluster, with just one node, and the use another private address for that, then you can do a NAT to that private address in your router, but the proper way would be to make your isp change the transport network to the public range instead, still you need the vpn cluster to use another address to terminate vpns on the asa. Also this only works for IPSec based vpn, i'm not 100% sure about ssl based vpn.
10-26-2010 07:07 AM
Nice idea. But I'll follow your comment to better use a public IP address on the outside interface.
Regrettably there seems to be no solution, to use an alternative or virtual ip address
for the vpn tunnel endpoint.
Thanks for all answers.
Regards,
Mark
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: