08-10-2020 02:41 AM - edited 08-10-2020 02:41 AM
Dear All,
I had a query regarding Cisco ASA SSL VPN setup.
Requirement: i was wondering if i could enable SSL vpn users to communication with each other, by default it is not enabled.
Existing Setup: Cisco ASA 9.0+ version with SSL VPN setup.
Appreciate any pointers and suggestion to achieve the same.
Thanks
08-10-2020 02:51 AM
Hi,
You will need the command "same-security-traffic permit intra-interface" in order to route traffic in/out the same interface. You will also need a NAT Exemption rule, to ensure the traffic is not unintentially NATTED. Example:-
object network RAVPN
subnet 192.168.10.0 255.255.255.0
nat (OUTSIDE,OUTSIDE) source static RAVPN RAVPN destination static RAVPN RAVPN no-proxy-arp
Amend the object RAVPN to represent your VPN IP Pool.
HTH
08-10-2020 09:40 AM
I confirm I setup a customer similar to what @Rob Ingram recommended just last month and it worked fine.
However we don't recommend in universally since it may unnecessarily expose remote users to one another's vulnerabilities. We ended up allowing it only for IT admins while filtering it out for normal users.
08-11-2020 01:30 PM
Thanks for the suggestions.
I tried the following commands and still SSL VPN users are not able to ping each other.
Conf t
same-security-traffic permit intra-interface
nat (OUTSIDE,OUTSIDE) source static VPN-USER VPN-USER destination static VPN-USER VPN-USER no-proxy-arp
Any suggestions on troubleshooting or things i should be looking for.
10-16-2020 07:32 AM
Hi Kumar,
You can simply add the following command in global configuration:
same-security-traffic permit intra-interface
let me know if the answer was helpful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide