We are runnig ASA 5510 with 9.0.1 as vpn gateway and we recently found out that it is possible to query public ip address for example for nbtstat via udp for connected vpn clients, at least the asa answer on public ip on udp 137 and allow access to random vpn connected client.
We see that this is probably comming from nat on public interface for vpn clients going to internet (we are using tunnel all and allowing the users via dynamic pat to go out the same public interface and ip for internet), for that we allowed connection between hosts on the same interface.
So if the vpn user somehow open a udp session to outside there is nat entry created and when the public ip is queried we can see the info from the vpn client (domain membership, user logged in etc).
Till now i was thinkig that only outgoing traffic is possible but incoming also, at least for UDP.
Can some one explain me how this is possible or better to say how to avoid it?
disabling the nat works but then the users are not able to reach internet resources.
This is really interesting could you share the sanitized nat configuration and detail what you mean by "if the vpn user somehow open a udp session to outside". What are the source and destination ports and IPs ? Also from where are you initiating the query for the ASAs public IP ?
NAT for U-turn VPN is normally this is done something like this: