Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3603
Views
0
Helpful
5
Replies

Communication between two VPN Clients

rafacampos
Level 1
Level 1

‎02-20-2006 11:51 AM - edited ‎02-21-2020 02:16 PM

I deployed an IP Telephony infrastructure with several IP Communicator software phones. Most users of these IP Communicators are teleworkers connecting from the Internet to the headquarters using Cisco's VPN client. The VPN concentrator is a Cisco ASA 5510 at the Headquarters where the CallManager resides.

My problem is that when the teleworkers call each other, altough the call is correctly setup, there is no voice traffic at all. I quickly realized that it was because there is no IP connectivity between two VPN tunnels. Any idea on how can I solve this issue? How can I route IP traffic between tunnels in the ASA?

Labels:
0 Helpful
5 Replies 5

pradeepde
Level 5
Level 5

‎02-24-2006 10:37 AM

Concurrent to the LAN-to-LAN VPN, the central concentrator also accepts remote access VPN connections. Communication is then enabled between the remote access VPN Client and the local LAN, behind the remote concentrator, through the central concentrator. The communication between spokes is enabled through the use of Reverse Route Injection (RRI).

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

0 Helpful

oatinetworksupport
Level 1
Level 1

‎06-15-2006 08:08 PM

I am also having this issue...however, I am using a PIX-520 running 6.3(3). My problem is exactly the same, however.

It may also be possible to route the voice calls through the callmanager server somehow...however, I am not aware of how to do this, or if it's truly possible...any help would be appreciated from anybody.

0 Helpful

ggt-cisco
Level 1
Level 1
In response to oatinetworksupport

‎06-17-2006 08:04 AM

This global command solved my problem:

same-security-traffic permit intra-interface

However I'm not sure if it works with version 6.3.(3).

Don't forget also to add the address pool for the VPN client to the crypto ACL and the NAT0 ACL.

Good luck!

Rafa

0 Helpful

oatinetworksupport
Level 1
Level 1
In response to oatinetworksupport

‎06-18-2006 07:59 AM

I found out that this an be resolved by upgrading to PIX 7 software, and then using the commands given earlier in this post (just as they can be used in the ASA). However, my PIX 520 is too old to run PIX 7, as it is not supported. So, I'm looking into upgrading to an ASA 5520 to resolve this.

0 Helpful

Fernando_Meza
Level 7
Level 7

‎06-18-2006 12:19 AM

assuming you have the same ip pool range for your remote users and that you are running code 7.+ on the ASA.. make sure you have the below commands on your config.

sysopt connection permit-ipsec.

same-security-traffic permit intra-interface

this will allow commnuication between remote users

0 Helpful
Customers Also Viewed These Support Documents