Out customer has a SSL VPN solution called "SSL Explorer", it's a server based application which runs on a DMZ Hosts.
Because the Software has been announced to be end-of-life, we want to migrate to ASA WebVPN.
At the moment there is a DNS record "ssl.customer.ch" pointing to xx.xx.xx.68/29. We do not want do change the DNS record to keep the downtime of the migration as low as possible.
The ASA itself has the IP Adress xx.xx.xx.66/29 on the outside Interface.
If I'am going to setup WebVPN via ASDM with the wizard, it seems that the IP address to access WebVPN can't be change, its always the IP Address on the Interface you choose, in that case the outside IP address xx.xx.xx.66.
My Question is how can I access WebVPN over the IP Address xx.xx.xx.68/29, a different IP Address than the outside IP Address?
Here is what i've already tried:
1) create a second (sub) interface on the Outside interface and configured xx.xx.xx.68/29 as IP address.
–> doesn't work because subnet overlaps. (maybe it would work, if i would subnet, the subnet again, but than i would lose needed ip addresses, so it isn't an option)
I also tried a kind of NAT statement which should redirect x.x.x.68:443 to x.x.x.66:443
static (outside,outside) tcp interface 443 xx.xx.xx.68 443 netmask 255.255.255.255 tcp 0 0 udp 0
access-list outside_access_in line 9 remark Erlaubt WebVPN auf xx.xx.xx.68 fuer redirect auf xx.xx.xx.66 (outside IP von ASA)
access-list outside_access_in line 10 extended permit tcp host xx.xx.xx.68 host xx.xx.xx.66 eq https
but if do a packet trace
packet-tracer input outside tcp 80.41.25.6 12345 217.192.168.68 443 xml
it sais that the implicity deny any any at the end of outside ACL blocks the traffic..
any ideas?
Best Answer
I don't see a way to get this working with 2 IPs on the same network with an ASA :/
The best solution I see is to put a router behind the ASA to do the NAT or reduce a lot TTL of ssl.customer.ch (to reduce downtime) then change its IP