Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member


Hi All,

We are configuring an ASA 5510 for remote VPN users using Any Connect.

Our question is:

We have a /29 block of public IP addresses and we want to configure 5 public IP addresses on the Outside interface so that VPN users can use different DDNS logins that terminate on one of the 5 addresses. 1 of the 6 hosts in the subnet is the gateway address to the ISP router.

Any suggestions on how to best achieve this requirement.



New Member

You will not be able to

You will not be able to assign 5 public IP addresses specifically to the outside interface of the ASA. Also, I do not understand your statement regarding DDNS logins. What is the business requirement you are trying to satisfy?

New Member

Hi All,Just to clarify what

Hi All,

Just to clarify what we are looking to achieve.

We have users who access the ASA via VPNs using Any Connect. We have created 5 user groups we will just call them A, B, C, D, E. When Group A connects they use for example and IP address When Group B connect they use for example and IP Address and so on.

As for DDNS we aware that the ASA does not do DDNS updates and so we either use an internal server or manual entries. The purpose of this is purely to give the users an easy to remember login.

We can use the Global command to map the external IP addresses to the internal subnets, but we are trying to find out if there is another way.





VIP Purple

What are the different groups

What are the different groups used for? Are that different companies or just different departments of one company?

There are so many ways to achieve different VPN-Settings for the users and all of them only work with the one public IP-address your ASA has on the outside interface.

One "typical" way to configure different VPN-settings for different users is the following:

  1. You configure one tunnel-group with the needed authentication-settings. The assigned group-policy only has the needed tunnel-protocol configured like sssl-client.
  2. For each department you configure one group-policy with all needed parameters like split tunnel, VPN-filter, banner, DNS/WINS-servers domain and so on.
  3. Your users get one of these group-policies assigned. That can be done with local authentication in the user-acount, or more scalable through a central RADIUS-server which can be the Windows NPS to authenticate the domain-users.


Hall of Fame Super Silver

Karsten has it right - the

Karsten has it right - the way to do what you want is with connection profiles (tunnel-group in the legacy cli command) associated with group policies that customize the user access as desired.

VIP Purple

first, the ASA doesn't

first, the ASA doesn't support the HTTP-method of DDNS. So your ASA should have a fixed public IP. Of course you could run a DDNS-client in the internal network, but I wouldn't recommend that.

Then, as already mentioned, the ASA doesn't support the concept of secondary IPs as the router does. You only can configure one IP on the interface.

If I understand you right, you wan't to have multiple VPN configs on one ASA. That can be done with only one address. You configure multiple tunnel-groups, each with a different URL and each one can have a different config and look and feel.

CreatePlease to create content