topic Re: Allow Traffice Between VPN Users in Network Security

Allow Traffice Between VPN Users

Ash160 — Tue, 31 Mar 2020 15:45:18 GMT

Hi Experts,

In order to be able to establish sofphone calls from one VPN user working from Home to another VPN user working from HOme too, I need to enable the traffic between VPN users. I have ASA 5515.

My understanding is that I need to add a NAT

nat (outside,outside) source static static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool

is this enough?

Re: Allow Traffice Between VPN Users

Rob Ingram — Tue, 31 Mar 2020 15:47:01 GMT

Hi,
You will also need this command "same-security-traffic permit intra-interface" configured, to allow traffic to be routed back out the same interface it came in on.

HTH

Re: Allow Traffice Between VPN Users

Ash160 — Tue, 31 Mar 2020 16:02:11 GMT

Do I need another Nat?

nat (inside,outside) source static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool
nat (outside,outside) source static static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool
nat (any,outside) after-auto source dynamic PAT-SOURCE interface

Re: Allow Traffice Between VPN Users

Ash160 — Tue, 31 Mar 2020 16:06:22 GMT

Can you explain more!

Re: Allow Traffice Between VPN Users

Rob Ingram — Tue, 31 Mar 2020 16:23:55 GMT

Your existing nat rule looks correct, assuming the object in use defines the correct network.

When an AnyConnect user connects to the VPN their traffic is sourced from the outside interface, so if you want those users to communicate with each other you need a NAT exemption rule "nat (outside,outside).....).

The command I provided earlier "same-security-traffic permit intra-interface" allows traffic be routed back out the same interface traffic originated on. This is disabled as default on the ASA.

Re: Allow Traffice Between VPN Users

Ash160 — Tue, 31 Mar 2020 19:12:55 GMT

I am still not able to get VPN clients remote each others or even ping each others.

I added the access-list

the Nat outside, outside

and the

same-security-traffic permit intra-interface

Re: Allow Traffice Between VPN Users

Rob Ingram — Tue, 31 Mar 2020 19:26:48 GMT

Do they have a local firewall turned on?...which is blocking traffic
Provide the output of "show nat detail"

Re: Allow Traffice Between VPN Users

Ash160 — Tue, 31 Mar 2020 20:06:49 GMT

Manual NAT Policies (Section 1)

(inside) to (Internet100) source static VPNAccess-ITGroup VPNAccess-ITGroup destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 no-proxy-arp route-lookup
translate_hits = 191998, untranslate_hits = 192516
Source - Origin: 172.16.12.0/30, 172.16.13.0/24, 172.16.14.0/24, 172.16.16.0/24
192.168.0.0/24, 192.168.9.0/24, 192.168.99.248/29, 192.168.1.0/24
192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.6.0/24
172.16.11.0/29, 172.16.11.0/29, 192.168.0.6/32, 192.168.22.0/23
10.124.125.0/24, 10.124.126.0/24, 10.124.127.0/24, 10.124.127.13/32
192.168.111.0/24, 192.168.6.0/24, 192.168.6.0/24, Translated: 172.16.12.0/30, 172.16.13.0/24, 172.16.14.0/24, 172.16.16.0/24
192.168.0.0/24, 192.168.9.0/24, 192.168.99.248/29, 192.168.1.0/24
192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.6.0/24
172.16.11.0/29, 172.16.11.0/29, 192.168.0.6/32, 192.168.22.0/23
10.124.125.0/24, 10.124.126.0/24, 10.124.127.0/24, 10.124.127.13/32
192.168.111.0/24, 192.168.6.0/24, 192.168.6.0/24
Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

(inside) to (Internet100) source static any XXXXXXXXXXXXXXX.105.77 destination static OneMail-External-Group OneMail-External-Group
translate_hits = 44632, untranslate_hits = 59757
Source - Origin: 0.0.0.0/0, Translated: XXXXXXXXXXXXXXX.105.77/32
Destination - Origin: 142.46.226.16/30, 142.46.226.20/31, 142.46.226.22/32, 76.75.164.89/32
76.75.164.90/31, 76.75.149.36/31, 76.75.149.38/32, 76.75.177.168/31
76.75.177.170/32, 76.75.133.89/32, 76.75.133.90/31, 76.75.177.138/32
76.75.164.96/32, 76.75.133.96/32, 76.75.149.54/32, Translated: 142.46.226.16/30, 142.46.226.20/31, 142.46.226.22/32, 76.75.164.89/32
76.75.164.90/31, 76.75.149.36/31, 76.75.149.38/32, 76.75.177.168/31
76.75.177.170/32, 76.75.133.89/32, 76.75.133.90/31, 76.75.177.138/32
76.75.164.96/32, 76.75.133.96/32, 76.75.149.54/32
(any) to (DMZ) source static obj-VPNPool obj-VPNPool
translate_hits = 48243, untranslate_hits = 1113
Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

(Internet100) to (Internet100) source static obj-VPNPool obj-VPNPool destination static obj-VPNPool obj-VPNPool
translate_hits = 20, untranslate_hits = 0
Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

Re: Allow Traffice Between VPN Users

Rob Ingram — Tue, 31 Mar 2020 20:23:25 GMT

I assume it's the 3rd NAT rule?...which appears to have been hit.

Do they have a local firewall turned on?...which is blocking traffic??

Do you have split tunnel configured?....if yes you will need to tunnel the VPN Pool network.

Re: Allow Traffice Between VPN Users

Ash160 — Tue, 31 Mar 2020 20:24:59 GMT

Yes I did tunnel

access-list Internet100_access_in extended permit icmp object obj-VPNPool object obj-VPNPool

I think it is the local firewall