Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Question about AnyConnect

  Hello Everyone,

I  currently have an ASA 5550 with a set of public ip addresses, my ASA's outside interface addresss is 66.45.12.12 and I also have few VPN site to site setups with few other offices with the outside interface address. I'd like to setup VPN AnyConnect, is it ok to setup AnyConnect to use the same outside ip address 66.45.12.12 on the same ASA? Are there any cons/pros which may occur for doing that?

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Question about AnyConnect

That's not a problem at all. It's a very common way to set it up.

AnyConnect clients will use tcp port 443 (assuming SSL VPN) while the site-site VPNs will continue to use the IP protocol 51 and 50 (AH, ESP) plus IKE ISAKMP etc.

Hall of Fame Super Silver

Question about AnyConnect

You're welcome.

No - remote access (and site-site) VPNs need to use the interface IP address.

If you have other existing services bound to port 443 (e.g. with a NAT rule and access-list), those would need to be moved to a different IP address or tcp port.

3 REPLIES
Hall of Fame Super Silver

Question about AnyConnect

That's not a problem at all. It's a very common way to set it up.

AnyConnect clients will use tcp port 443 (assuming SSL VPN) while the site-site VPNs will continue to use the IP protocol 51 and 50 (AH, ESP) plus IKE ISAKMP etc.

Community Member

Question about AnyConnect

Thanks for the verification. Last question, since I have a set of public IP addresses and this ip 66.45.12.13 is the next IP address after 66.45.12.12 (ASA's outside interface), is it possible to configure AnyConnect with this ip 66.45.12.13 on the ASA? Technically the AnyConnect VPN clients will connect to this ip address 66.45.12.13 instead of the outside interface IP address.

Thanks.

Hall of Fame Super Silver

Question about AnyConnect

You're welcome.

No - remote access (and site-site) VPNs need to use the interface IP address.

If you have other existing services bound to port 443 (e.g. with a NAT rule and access-list), those would need to be moved to a different IP address or tcp port.

195
Views
0
Helpful
3
Replies
CreatePlease to create content