Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
423
Views
0
Helpful
5
Replies

Multiple Public IP addresses on Outside

inderpalsogi
Level 1
Level 1

‎08-27-2013 03:21 AM

I have a number of public IP addresses, one which has been assigned to the outside interface of an ASA 5505.

What I am trying to achieve is use a 2nd public address as the LAN to LAN VPN termination address.

Now I know you can terminate VPNs on the outside which is working without any problems.

I have created another vlan and assigned to a different interface with an ip of 192.168.200.1/24

I have created a one to one NAT for the 2nd public ip address to this interface.  The physical cable from this interface is going into the same router as the outside interface? Is this correct

I have also enabled a proxy arp alias on the outside vlan.  However, the VPN connection does not come up.

SHould I be doing something else or configuring additional commands?

I just do not think the 2nd public address is capable of being reached.

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎08-27-2013 03:30 AM

The ASA only terminates VPNs on the interface-IP-address. I'm pretty confident that your tweeks won't work on the ASA. But why do you want to use a different IP for VPNs? Perhaps there are better ways to solve your problem.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

inderpalsogi
Level 1
Level 1
In response to Karsten Iwen

‎08-27-2013 03:33 AM

Well basically there is a 3000 VPN concentrator with a number of VPN tunnels confiured on theie which uses the 2nd public IP address and I want to move the VPNs tunnels onto the ASA.

Therefore I am trying to minimise the configuration changes required to be done at the remote ends because they are 3rd parties.

0 Helpful

Karsten Iwen
VIP
VIP
In response to inderpalsogi

‎08-27-2013 03:42 AM

And the clients are configured with the VPN3000-IP instead of the FQDN?

Is there a possibility to instruct the clients to change the profile to FQDN instead of IP and later point the FQDN to the ASA? With the tunnel-count of the 5505 I wouldn't expect there to be that many clients.

Or different solution:

Use a second ASA 5505 for the VPNs to get some time in migration. Then change the clients to FQDN, move that to the primary IP and later combine the two ASAs to a Failover-system. Then you also have some redundancy when you're done.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

inderpalsogi
Level 1
Level 1
In response to Karsten Iwen

‎08-27-2013 03:50 AM

Thanks Karsten.

This is not RAS clients, these are LAN to LAN IPsec VPN tunnels.

0 Helpful

Karsten Iwen
VIP
VIP
In response to inderpalsogi

‎08-27-2013 03:57 AM

Ok! Sorry, but then I don't see an easy option without changing the peer-devices.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents