We are configuring an ASA 5510 for remote VPN users using Any Connect.
Our question is:
We have a /29 block of public IP addresses and we want to configure 5 public IP addresses on the Outside interface so that VPN users can use different DDNS logins that terminate on one of the 5 addresses. 1 of the 6 hosts in the subnet is the gateway address to the ISP router.
Any suggestions on how to best achieve this requirement.
You will not be able to assign 5 public IP addresses specifically to the outside interface of the ASA. Also, I do not understand your statement regarding DDNS logins. What is the business requirement you are trying to satisfy?
We have users who access the ASA via VPNs using Any Connect. We have created 5 user groups we will just call them A, B, C, D, E. When Group A connects they use for example vpnA.xyz.net and IP address 184.108.40.206. When Group B connect they use for example vpnb.xyz.net and IP Address 220.127.116.11 and so on.
As for DDNS we aware that the ASA does not do DDNS updates and so we either use an internal server or manual entries. The purpose of this is purely to give the users an easy to remember login.
We can use the Global command to map the external IP addresses to the internal subnets, but we are trying to find out if there is another way.
What are the different groups used for? Are that different companies or just different departments of one company?
There are so many ways to achieve different VPN-Settings for the users and all of them only work with the one public IP-address your ASA has on the outside interface.
One "typical" way to configure different VPN-settings for different users is the following:
You configure one tunnel-group with the needed authentication-settings. The assigned group-policy only has the needed tunnel-protocol configured like sssl-client.
For each department you configure one group-policy with all needed parameters like split tunnel, VPN-filter, banner, DNS/WINS-servers domain and so on.
Your users get one of these group-policies assigned. That can be done with local authentication in the user-acount, or more scalable through a central RADIUS-server which can be the Windows NPS to authenticate the domain-users.
first, the ASA doesn't support the HTTP-method of DDNS. So your ASA should have a fixed public IP. Of course you could run a DDNS-client in the internal network, but I wouldn't recommend that.
Then, as already mentioned, the ASA doesn't support the concept of secondary IPs as the router does. You only can configure one IP on the interface.
If I understand you right, you wan't to have multiple VPN configs on one ASA. That can be done with only one address. You configure multiple tunnel-groups, each with a different URL and each one can have a different config and look and feel.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :