Re: Cisco ASA SSL VPN users (Anyconnect) communication with each other

KumarMH06540 · ‎08-10-2020

Dear All,

I had a query regarding Cisco ASA SSL VPN setup.

Requirement: i was wondering if i could enable SSL vpn users to communication with each other, by default it is not enabled.

Existing Setup: Cisco ASA 9.0+ version with SSL VPN setup.

Appreciate any pointers and suggestion to achieve the same.

Thanks

Rob Ingram · ‎08-10-2020

Hi,

You will need the command "same-security-traffic permit intra-interface" in order to route traffic in/out the same interface. You will also need a NAT Exemption rule, to ensure the traffic is not unintentially NATTED. Example:-

object network RAVPN
 subnet 192.168.10.0 255.255.255.0

nat (OUTSIDE,OUTSIDE) source static RAVPN RAVPN destination static RAVPN RAVPN no-proxy-arp

Amend the object RAVPN to represent your VPN IP Pool.

HTH

Marvin Rhoads · ‎08-10-2020

I confirm I setup a customer similar to what @Rob Ingram recommended just last month and it worked fine.

However we don't recommend in universally since it may unnecessarily expose remote users to one another's vulnerabilities. We ended up allowing it only for IT admins while filtering it out for normal users.

KumarMH06540 · ‎08-11-2020

Thanks for the suggestions.

I tried the following commands and still SSL VPN users are not able to ping each other.

Conf t

same-security-traffic permit intra-interface

nat (OUTSIDE,OUTSIDE) source static VPN-USER VPN-USER destination static VPN-USER VPN-USER no-proxy-arp

Any suggestions on troubleshooting or things i should be looking for.

bern81 · ‎10-16-2020

Hi Kumar,

You can simply add the following command in global configuration:

same-security-traffic permit intra-interface

let me know if the answer was helpful