05-07-2008 01:46 AM - edited 03-11-2019 05:41 AM
I have an ASA 5510 Security Plus Appliance which enabled with Remote VPN access. I faced a problem is that my VPN users using IP phone communicators are unable to talk to eachother.
Only when i enable the option < to allow traffic from two or more hosts connected to the same interface> then my VPN users are able to communicate with eachother using IP phone communicators.
However this is a global command as it will be enable for all interfaces i have in the firewall. Is there any work around as enabling this option i feared there is security risk.
Please help me asap as there is urgent.
Thank you
05-07-2008 04:07 AM
Leonard
The restriction of not forwarding traffic back out the interface it was received on has been a well known feature of PIX and ASA for a long time. One effect of this is that it prevents two remote VPN users from communicating with each other. There is now the config option (which you used) to allow forwarding back out the interface (or out an interface with the same security level) which allows that communication. You are correct that the command is global and will apply to all interfaces. I believe that the security risk of this is not great. And if your remote users need to communicate with each other through the VPN then it is the only option that you have.
HTH
Rick
05-07-2008 05:38 PM
Thanks Rick. But can i specify the port that i wanted to allow for hosts connected to the same interface to communicate or it is permit any any that cannot be changed?
05-09-2008 06:12 PM
This is not a security risk. You are just allowing the traffic to go out the same interface from where it entered.
05-10-2008 05:40 PM
For VPN client, how am i going to specify access rules for them? e.g they are only allowed to access port 80
05-16-2008 10:48 AM
Rick,
I have the same problem. Is this option available in PIX 6.3(5)? I've searched the Config Guide and the Command Reference and haven't found anything regarding such an option. If it is available I would appreciate a hint.
Thanks,
Mike
05-16-2008 12:29 PM
Mike
Unfortunately that option does not exist in 6.3(5). It was introduced in 7.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide