How to bind VPN tunnel endpoints to dedicated IP addresses?

Question

Hi folks, I'm running a SG 115 W with latest sw release. On WAN NIC I've been assigned a /28 subnet from my ISP. Let's name the net AA.BB.CC.DD/28. From this /28 I'like to use 3 IP addresse for the UTM itself, i.e. 
 
 one as "default" gateway for general outbound traffic (this is simple/default) AA.BB.CC.D1 
 one for Site-2-Site VPNs (IPSec in general) AA.BB.CC.D2 
 one for Client-2-Site VPNs (SSL in general) AA.BB.CC.D3 
 
 Well, I know how to assign the second and third IP address to the WAN NIC - this is the simple part. But, how to force the VPN-Connections to use one of the additional (offical static) IP addresses AA.BB.CC.D2 or AA.BB.CC.D3 on establishing a VPN connection? Any ideas/hints/suggestions? May be source/destination NAT or something else? Greetinx Moose

BAlfson · Accepted Answer

The easiest for SSL VPN Remote Access is to use an FQDN that resolves to AA.BB.CC.D3 (like vpn.domain.com) in 'Override hostname' on the 'Settings' tab. For the IPsec site-to-sites, the easiest is to have AA.BB.CC.D2 be the primary address of the External interface. For the general traffic, instead of using a masquerading rule, the easiest is to use a NAT rule like: 'SNAT : Internal (Network) -> Any -> Internet : from External [General] (Address)' where "General" is the name of the Additional Address AA.BB.CC.D1. Cheers - Bob 
 Edit a bit later: I just remembered that it's no longer necessary to use an SNAT. It's now possible to create a masq rule like 'Internal (Network) -> External [General] (Address)'.

jflex · Answer

I believe this can be done under the Remote access section. Choose SSL and then select the 2nd tab for settings. You will find " "Interface Address" drop in any one of your additional addresses there. You may also want to change the Listen Address for the user portal under Management > User Portal > Advanced tab. At the bottom you will see listen address.

--
SCA/UTM/XG Sophos Platinum Partner