Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1592
Views
5
Helpful
9
Replies

Allow Traffice Between VPN Users

Go to solution
Ash160
Level 1
Level 1

‎03-31-2020 08:44 AM - edited ‎03-31-2020 08:45 AM

Hi Experts,

 

In order to be able to establish sofphone calls from one VPN user working from Home to another VPN user working from HOme too, I need to enable the traffic between VPN users. I have ASA 5515. 

My understanding is that I need to add a NAT

nat (outside,outside) source static static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool

is this enough?

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Ash160

‎03-31-2020 01:23 PM

I assume it's the 3rd NAT rule?...which appears to have been hit.

Do they have a local firewall turned on?...which is blocking traffic??

Do you have split tunnel configured?....if yes you will need to tunnel the VPN Pool network.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎03-31-2020 08:47 AM

Hi,
You will also need this command "same-security-traffic permit intra-interface" configured, to allow traffic to be routed back out the same interface it came in on.

HTH
0 Helpful

Go to solution
Ash160
Level 1
Level 1
In response to Rob Ingram

‎03-31-2020 09:01 AM - edited ‎03-31-2020 09:02 AM

Do I need another Nat?

 

nat (inside,outside) source static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool
nat (outside,outside) source static static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool
nat (any,outside) after-auto source dynamic PAT-SOURCE interface

0 Helpful

Go to solution
Ash160
Level 1
Level 1
In response to Rob Ingram

‎03-31-2020 09:06 AM

Can you explain more!
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Ash160

‎03-31-2020 09:23 AM

Your existing nat rule looks correct, assuming the object in use defines the correct network.

When an AnyConnect user connects to the VPN their traffic is sourced from the outside interface, so if you want those users to communicate with each other you need a NAT exemption rule "nat (outside,outside).....).

The command I provided earlier "same-security-traffic permit intra-interface" allows traffic be routed back out the same interface traffic originated on. This is disabled as default on the ASA.

Go to solution
Ash160
Level 1
Level 1
In response to Rob Ingram

‎03-31-2020 12:12 PM

I am still not able to get VPN clients remote each others or even ping each others.

 

I added the access-list 

the Nat outside, outside

and the 

same-security-traffic permit intra-interface

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Ash160

‎03-31-2020 12:26 PM

Do they have a local firewall turned on?...which is blocking traffic
Provide the output of "show nat detail"
0 Helpful

Go to solution
Ash160
Level 1
Level 1
In response to Rob Ingram

‎03-31-2020 01:06 PM

Manual NAT Policies (Section 1)

 

(inside) to (Internet100) source static VPNAccess-ITGroup VPNAccess-ITGroup destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 no-proxy-arp route-lookup
translate_hits = 191998, untranslate_hits = 192516
Source - Origin: 172.16.12.0/30, 172.16.13.0/24, 172.16.14.0/24, 172.16.16.0/24
192.168.0.0/24, 192.168.9.0/24, 192.168.99.248/29, 192.168.1.0/24
192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.6.0/24
172.16.11.0/29, 172.16.11.0/29, 192.168.0.6/32, 192.168.22.0/23
10.124.125.0/24, 10.124.126.0/24, 10.124.127.0/24, 10.124.127.13/32
192.168.111.0/24, 192.168.6.0/24, 192.168.6.0/24, Translated: 172.16.12.0/30, 172.16.13.0/24, 172.16.14.0/24, 172.16.16.0/24
192.168.0.0/24, 192.168.9.0/24, 192.168.99.248/29, 192.168.1.0/24
192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.6.0/24
172.16.11.0/29, 172.16.11.0/29, 192.168.0.6/32, 192.168.22.0/23
10.124.125.0/24, 10.124.126.0/24, 10.124.127.0/24, 10.124.127.13/32
192.168.111.0/24, 192.168.6.0/24, 192.168.6.0/24
Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

 

(inside) to (Internet100) source static any XXXXXXXXXXXXXXX.105.77 destination static OneMail-External-Group OneMail-External-Group
translate_hits = 44632, untranslate_hits = 59757
Source - Origin: 0.0.0.0/0, Translated: XXXXXXXXXXXXXXX.105.77/32
Destination - Origin: 142.46.226.16/30, 142.46.226.20/31, 142.46.226.22/32, 76.75.164.89/32
76.75.164.90/31, 76.75.149.36/31, 76.75.149.38/32, 76.75.177.168/31
76.75.177.170/32, 76.75.133.89/32, 76.75.133.90/31, 76.75.177.138/32
76.75.164.96/32, 76.75.133.96/32, 76.75.149.54/32, Translated: 142.46.226.16/30, 142.46.226.20/31, 142.46.226.22/32, 76.75.164.89/32
76.75.164.90/31, 76.75.149.36/31, 76.75.149.38/32, 76.75.177.168/31
76.75.177.170/32, 76.75.133.89/32, 76.75.133.90/31, 76.75.177.138/32
76.75.164.96/32, 76.75.133.96/32, 76.75.149.54/32
(any) to (DMZ) source static obj-VPNPool obj-VPNPool
translate_hits = 48243, untranslate_hits = 1113
Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

 

(Internet100) to (Internet100) source static obj-VPNPool obj-VPNPool destination static obj-VPNPool obj-VPNPool
translate_hits = 20, untranslate_hits = 0
Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Ash160

‎03-31-2020 01:23 PM

I assume it's the 3rd NAT rule?...which appears to have been hit.

Do they have a local firewall turned on?...which is blocking traffic??

Do you have split tunnel configured?....if yes you will need to tunnel the VPN Pool network.
0 Helpful

Go to solution
Ash160
Level 1
Level 1
In response to Rob Ingram

‎03-31-2020 01:24 PM

Yes I did tunnel 

access-list Internet100_access_in extended permit icmp object obj-VPNPool object obj-VPNPool

 

I think it is the local firewall

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card