https://community.cisco.com/t5/network-security/asa-vpn-user-communication-problem/m-p/1308608#M825411 <HTML><HEAD></HEAD><BODY><P>This will allow vpn clients (10.144.x.x) to access the dmz as required. </P><P></P><P>nat (dmz) 0 access-list no_nat0</P><P>access-list no_nat0 extended permit ip any 10.144.191.0 255.255.255.0</P><P>access-list no_nat0 extended permit ip any 10.144.190.0 255.255.255.0</P><P></P><P>This will allow vpn clients (10.144.x.x0 to access the internet via hairpin.</P><P></P><P>same-security-traffic permit intra-interface</P><P>nat (outside) 1 10.144.0.0 255.255.0.0</P><P>global (outside) 1 interface</P><P></P><P>And this may allow your vpn clients to communicate with each other...</P><P></P><P>nat (outside) 0 access-list nat0outside</P><P>access-list nat0outside extended permit ip 10.144.0.0 255.255.0.0 10.144.0.0 255.255.0.0</P></BODY></HTML> Fri, 09 Oct 2009 13:59:17 GMT acomiskey 2009-10-09T13:59:17Z https://community.cisco.com/t5/network-security/asa-vpn-user-communication-problem/m-p/1308607#M825406 <P>We use ASA 5520's for firewalling and VPN. When users are connected to VPN they are unable to communicate with each other. If i remove the nat associated with the outside interface all works well and they are able to communicate. Only problem is that they can no longer hairpin and use the ASA for internet access. I tried to apply and ACL to the nat but denies aren't allowed. </P><P></P><P>ASA# sh run nat</P><P>nat (outside) 1 10.144.0.0 255.255.0.0</P><P>nat (dmz) 0 access-list no_nat0</P><P>nat (dmz) 1 172.16.0.0 255.240.0.0</P><P>nat (dmz) 1 10.0.0.0 255.0.0.0</P><P>ASA# sh run global</P><P>global (outside) 1 interface</P><P></P><P>access-list no_nat0 extended permit ip 10.144.191.0 255.255.255.0 any log </P><P>access-list no_nat0 extended permit ip 10.144.190.0 255.255.255.0 any log </P><P>access-list no_nat0 extended permit ip any 10.144.190.0 255.255.255.0 log </P><P>access-list no_nat0 extended permit ip any 10.144.191.0 255.255.255.0 l</P><P></P><P>Any help would be greatly appreciated. Thanks in advance.</P> Wed, 13 Mar 2019 00:59:33 GMT https://community.cisco.com/t5/network-security/asa-vpn-user-communication-problem/m-p/1308607#M825406 Darren Sasso 2019-03-13T00:59:33Z https://community.cisco.com/t5/network-security/asa-vpn-user-communication-problem/m-p/1308608#M825411 <HTML><HEAD></HEAD><BODY><P>This will allow vpn clients (10.144.x.x) to access the dmz as required. </P><P></P><P>nat (dmz) 0 access-list no_nat0</P><P>access-list no_nat0 extended permit ip any 10.144.191.0 255.255.255.0</P><P>access-list no_nat0 extended permit ip any 10.144.190.0 255.255.255.0</P><P></P><P>This will allow vpn clients (10.144.x.x0 to access the internet via hairpin.</P><P></P><P>same-security-traffic permit intra-interface</P><P>nat (outside) 1 10.144.0.0 255.255.0.0</P><P>global (outside) 1 interface</P><P></P><P>And this may allow your vpn clients to communicate with each other...</P><P></P><P>nat (outside) 0 access-list nat0outside</P><P>access-list nat0outside extended permit ip 10.144.0.0 255.255.0.0 10.144.0.0 255.255.0.0</P></BODY></HTML> Fri, 09 Oct 2009 13:59:17 GMT https://community.cisco.com/t5/network-security/asa-vpn-user-communication-problem/m-p/1308608#M825411 acomiskey 2009-10-09T13:59:17Z https://community.cisco.com/t5/network-security/asa-vpn-user-communication-problem/m-p/1308609#M825417 <HTML><HEAD></HEAD><BODY><P>Ok great i'll give that a try. Thanks.</P><P></P><P></P></BODY></HTML> Fri, 09 Oct 2009 14:10:49 GMT https://community.cisco.com/t5/network-security/asa-vpn-user-communication-problem/m-p/1308609#M825417 Darren Sasso 2009-10-09T14:10:49Z