We are setting up a number of ASAs for use with corporate VPNs. When remote users connect using anyconnect they can hairpin out to the internet from Head Office and we need to allocate them a public IP address for this purpose. To avoid people getting the same public address each time they go to the internet we want to set up a pool of public addresses that will be randomly allocated to user of the VPN. Also, for their inbound connection we have a ddns that resolves to a single ip address for inbound connections. So, in summary clients connect to a single IP address on our ASAs, then hairpin out to the internet and are allocated a public IP address from a pool. We are looking at a few options to achieve this but would welcome any suggestions as to the best way to achieve this objective.
Well I guess you would simply configure a Dynamic NAT for the VPN users. You would have a pool/range of public IP addresses from which addresses would be allocated for VPN client as they connect to the Internet.
I am not sure what you are meaning with the inbound connections (unless you mean return traffic for connections initiated by the clients).
Naturally the NAT configuration format depends on your ASA software level as theres a major difference between 8.2 (and older) and 8.3 (and newer)
The inbound connections are for the VPN clients to ingress the ASAs, they then hairpin out to the internet where they are allocated a public IP address for their internet session. We will NAT them from the LAN VPN pool outbound, but its the allocation of a public ip address we are looking into. There wont be any local access so we don't need to set up a NAT exemption for the VPN users. Also, cant remember if the dynamic NAT allocates public addresses on a round robin or random basis, any ideas ??
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :