Solved: Cannot connect to other clients in Remote access VPN (ASA)

sysadmin · ‎02-02-2014

Hi

I have a cisco ASA 5510 device configred with remote access VPN

I can connect all host on INSIDE and DMZ network, but not able to access other clients connected to same VPN.

For example if I have 2 clients connected to VPN, clientA and clientB, with vpn pool IP addresses as 10.40.170.160 and 10.40.170.161 respectively, these both clients are not able to communicate with each other.

Any help is welcome.

Thanks in advance.

Jouni Forss · ‎02-03-2014

Hi,

I am getting a bit rusty on the old NAT format but what I would try personally would be to configure NAT0 on the "outside" interface.

It seems to me that you currently have Dynamic PAT configured for the VPN users as you have this

nat (outside) 1 10.40.170.0 255.255.255.0

So your traffic is probably matching this.

Only thing I can think of at the moment would be to configure

access-list VPN-CLIENT-NAT0 remark NAT0 for traffic between VPN Clients

access-list VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

nat (outside) 0 access-list VPN-CLIENT-NAT0

I am not sure if it works. I have not really had to configure this on any ASAs running the older software. There has been some similiar questions here on the forums for the new format.

- Jouni

View solution in original post

Jouni Forss · ‎02-03-2014

Hi,

To my understanding there is atleast a couple of things you would need configured on the ASA

You will need the command that enables connections to enter and leave through the same interface. The command needed is

same-security-traffic permit intra-interface

You would also need a NAT0 configuration on your external interface to which the VPN Clients connect. This should be a NAT0 from the VPN Pool network to the VPN Pool network.

What software are you running on the ASA?

- Jouni

sysadmin · ‎02-03-2014

Hi

Thanks for answering.

I already have these configurations in place.

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 10.40.170.0 255.255.255.0

What i'm suspecting is that my internal network (INSIDE) is 10.40.220.x. and on ASA i have a static route:

route inside 10.40.0.0 255.255.0.0 10.40.251.1 1

Do you think this is creating problem?

ASA software version is 8.2(2)

Message was edited by: Arthit Chinnachot

Jouni Forss · ‎02-03-2014

Hi,

I am getting a bit rusty on the old NAT format but what I would try personally would be to configure NAT0 on the "outside" interface.

It seems to me that you currently have Dynamic PAT configured for the VPN users as you have this

nat (outside) 1 10.40.170.0 255.255.255.0

So your traffic is probably matching this.

Only thing I can think of at the moment would be to configure

access-list VPN-CLIENT-NAT0 remark NAT0 for traffic between VPN Clients

access-list VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

nat (outside) 0 access-list VPN-CLIENT-NAT0

I am not sure if it works. I have not really had to configure this on any ASAs running the older software. There has been some similiar questions here on the forums for the new format.

- Jouni

sysadmin · ‎02-03-2014

Thanks a lot.

I removed

nat (outside) 1 10.40.170.0 255.255.255.0

and added new as suggested by you, it works. will see if everything else is fine also.

Thanks again

Jouni Forss · ‎02-03-2014

Hi,

The "nat" command that you mention is meant for Internet traffic from VPN Clients through the ASA. This should not cause problems for the VPN Client to VPN Client traffic when you have the NAT0 configuration. Atleast to my understanding.

So if your VPN Clients need Internet connectivity through the ASA then you would need that "nat" command also.

- Jouni

sysadmin · ‎02-03-2014

you are right, i need to keep that to let VPN clients connect to internet.

Thanks