Does anyone know if i can assign a seperate external ip address to intercept anyconnect ssl request other then assign it to an interface, which normally is external/outside? This is for the ASA 5520 model.
You have to assign an interface (by name) to accept the incoming crypto IKE connections. While it technically doesn't have to be the "outside" interface it does have to have be an interface with a publicly routable address that would not have asymmetric routing.
In 99.99% of use cases that means using the outside interface. In fact, I've never seen anyone use anything but "outside".
Thanks for replay my question. I understand the part that it will be assign to an interface however I would like to use a different public ip address rather than the one assigned to an outside interface. I was thinking about doing a twice nat to nat the outside public to another publicc io address but couldn't get it to work. Any know the answer to that, please let me know.
What's your rationale for not wanting to use the outside interface address?
If it's already in use on port 443 for some other already-NATted server, it's usually easier to make that server NAT to a different IP and just update the DNS record for the FQDN that outside access comes in for that server.
the reason i need to use a different public ip address is because my circuit service provider also has a firewall that only allow certain ip address for inbound ssl traffic. i want the outside interface stay with the same ip address since my company would like stay with that ip for all global nat translation. Thanks Marvin for answering my question. now i have decide to change the global nat statement to use an ip address instead the interface and change the outside interface ip address.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...