Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

assign external ip for anyconnect ssl question

Hi,

Does anyone know if i can assign a seperate external ip address to intercept anyconnect ssl request other then assign it to an interface, which normally is external/outside?   This is for the ASA 5520 model.

5 REPLIES
Hall of Fame Super Silver

assign external ip for anyconnect ssl question

You have to assign an interface (by name) to accept the incoming crypto IKE connections. While it technically doesn't have to be the "outside" interface it does have to have be an interface with a publicly routable address that would not have asymmetric routing.

In 99.99% of use cases that means using the outside interface. In fact, I've never seen anyone use anything but "outside".

New Member

Re:assign external ip for anyconnect ssl question

Thanks for replay my question. I understand the part that it will be assign to an interface however I would like to use a different public ip address rather than the one assigned to an outside interface. I was thinking about doing a twice nat to nat the outside public to another publicc io address but couldn't get it to work. Any know the answer to that, please let me know.


Sent from Cisco Technical Support Android App

Hall of Fame Super Silver

Re:assign external ip for anyconnect ssl question

What's your rationale for not wanting to use the outside interface address?

If it's already in use on port 443 for some other already-NATted server, it's usually easier to make that server NAT to a different IP and just update the DNS record for the FQDN that outside access comes in for that server.

New Member

assign external ip for anyconnect ssl question

the reason i need to use a different public ip address is because my circuit service provider also has a firewall that only allow certain ip address for inbound ssl traffic.  i want the outside interface stay with the same ip address since my company would like stay with that ip for all global nat translation.  Thanks Marvin for answering my question.  now i have decide to change the global nat statement to use an ip address instead the interface and change the outside interface ip address. 

Hall of Fame Super Silver

assign external ip for anyconnect ssl question

You're welcome. Please rate helpful replies and mark your question as answered if it has been.

331
Views
0
Helpful
5
Replies