Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
2
Replies

Allow SSL VPN clients to communicate

deyster94
Level 5
Level 5

‎03-05-2011 08:30 PM

I am trying to allow traffic to go between our SSL VPN clients for the use of cisco soft phones.  I have enabled traffic between two or more hosts connected to the same interface.  I have also created a nat for the ip pool that the vpn clients receives.  With this configured, when I would do a ping from one vpn client to another, I would get a request timed out.  I put a route inside command on the ASA to point the vpn ip pool to the inside router.  This allow me to ping another vpn client, but they could not ping me back.  I did see this syslog entry when the other user tried to ping me:

Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src Inside:172.31.253.98/138 dst Inside:172.31.253.255/138 denied due to NAT reverse path failure


I am not sure what the issue is and why I can ping the remote user, but he cannot ping me.  I don't have a local FW enabled on my laptop either.

TIA for any help or ideas.

Dan

Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-05-2011 08:48 PM

Dan,

Are you PINGing the real IP address of the client or the VPN-assigned address?

You should be able to communicate two remote SSL clients if having u-turn configured and no NAT happening between them (unless you want to NAT this traffic between VPN clients).

For example... on the outside interface do you have a NAT rule?

If you do have a NAT rule to allow Internet access to VPN clients like:

nat (outside) 1 VPN_POOL

global (outside) 1 interface

Then, you need to bypass NAT for the communication between VPN clients, like:

access-list DONT_NAT permit ip VPN_POOL VPN_POOL

nat (outside) 0 access-list DONT_NAT

Federico.

0 Helpful

deyster94
Level 5
Level 5
In response to Federico Coto Fajardo

‎03-07-2011 07:54 AM

Federico,

I am trying to ping the VPN ip address of the client.  I noticed I had my nat rule wrong and changed to the below config (BTW, we are running 8.3)

object network NETWORK_OBJ_172.31.253.0_24
nat (Outside,Outside) static 172.20.253.0

When I do a ping from my PC to another connected VPN user, I receive a request timed out and the following entry in the ASA log:

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src Outside:172.31.253.98 dst Outside:172.31.253.100 (type 8, code 0) denied due to NAT reverse path failure

I am going to see what I can find out about that, but if you have any information on what it means and how to fix it, that would be great.

TIA,

Dan

0 Helpful
Customers Also Viewed These Support Documents