cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
209
Views
0
Helpful
5
Replies
Beginner

How can I allow traffic between two AnyConnect VPN connected Clients?

Hi all,

 

I'm hoping I can get some help here. The issue I'm having is allowing connected VPN clients (running Anyconnect) the ability to directly communicate with each other while on VPN. The clients have access to the LAN and are split-tunneled to the Internet without issues. We've now rolled out Cisco's Jabber clients and to complete a call, clients need to be able to connect directly to each other.

 

VPN clients are pingable via the LAN when they're connect, just unable to reach each other. 

 

Any thoughts/ideas would be very much appreciated.

 

 

Thanks,

Rich

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
RJI Advisor
Advisor

Re: How can I allow traffic between two AnyConnect VPN connected Clients?

The first NAT rule ensures any traffic from the "inside" to the VPNPOOL on the "outside" interface is not natted. All RAVPN traffic will be sourced from the "outside", so you will need a rule from outside to outside....

 

...You will need a NAT exemption rule such as folllows (assuming the object VPNPOOL is the correct object)

 

nat (outside,outside) source static VPNPOOL VPNPOOL destination static VPNPOOL VPNPOOL no-proxy-arp

If you are split tunneling, then ensure the VPNPOOL subnet tunnelled back to the ASA/FTD.

 

You should also ensure that there is no host based firewall turned on the Windows computers that could also block communication.

 

If you have all of this in place and it still does not work please provide your configuration and the output of "route print" from your Windows computer once connected to the VPN tunnel.

 

HTH

View solution in original post

5 REPLIES 5
Highlighted
RJI Advisor
Advisor

Re: How can I allow traffic between two AnyConnect VPN connected Clients?

Hi,2
Try adding the command "same-security-traffic permit intra-interface" if not already and also make sure you have a NAT exemption rule to ensure traffic to/from your AnyConnect VPN Pool is not natted.

HTH
Highlighted
Beginner

Re: How can I allow traffic between two AnyConnect VPN connected Clients?

Thank you for the reply, adding the 'same-security-traffic' command did not resolve my issue. Here's the output of my NAT rules:

 

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup
translate_hits = 59468351, untranslate_hits = 64333934
2 (inside) to (outside) source static NETWORK_OBJ_172.22.0.0_16 NETWORK_OBJ_172.22.0.0_16 destination static NETWORK_OBJ_172.24.0.0_16 NETWORK_OBJ_172.24.0.0_16 no-proxy-arp route-lookup
translate_hits = 24182709, untranslate_hits = 26425120
3 (inside) to (outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_172.24.0.0_16 NETWORK_OBJ_172.24.0.0_16 no-proxy-arp route-lookup
translate_hits = 244452, untranslate_hits = 275348

I'm not as sharp on the ASA firewall - Do the rules above imply I'm NAT'ing the VPN pool?

 


Thank you!

Highlighted
RJI Advisor
Advisor

Re: How can I allow traffic between two AnyConnect VPN connected Clients?

The first NAT rule ensures any traffic from the "inside" to the VPNPOOL on the "outside" interface is not natted. All RAVPN traffic will be sourced from the "outside", so you will need a rule from outside to outside....

 

...You will need a NAT exemption rule such as folllows (assuming the object VPNPOOL is the correct object)

 

nat (outside,outside) source static VPNPOOL VPNPOOL destination static VPNPOOL VPNPOOL no-proxy-arp

If you are split tunneling, then ensure the VPNPOOL subnet tunnelled back to the ASA/FTD.

 

You should also ensure that there is no host based firewall turned on the Windows computers that could also block communication.

 

If you have all of this in place and it still does not work please provide your configuration and the output of "route print" from your Windows computer once connected to the VPN tunnel.

 

HTH

View solution in original post

Highlighted
Beginner

Re: How can I allow traffic between two AnyConnect VPN connected Clients?

Hi RJI,

 

Your help did end up helping me resolve the issue, but it was a two-parter. The command you provided,

 

nat (outside,outside) source static VPNPOOL VPNPOOL destination static VPNPOOL VPNPOOL no-proxy-arp

 

was required. I also needed to add the VPN pool's address range to the secure routes list for the AnyConnect client and then packets passed.

 

 

Thank you again so much for the assistance!

 

Rich

Highlighted
Beginner

Re: How can I allow traffic between two AnyConnect VPN connected Clients?

How did you add "the VPN pool's address range to the secure routes list for the AnyConnect"?