03-25-2020 04:51 PM
Hi all,
I'm hoping I can get some help here. The issue I'm having is allowing connected VPN clients (running Anyconnect) the ability to directly communicate with each other while on VPN. The clients have access to the LAN and are split-tunneled to the Internet without issues. We've now rolled out Cisco's Jabber clients and to complete a call, clients need to be able to connect directly to each other.
VPN clients are pingable via the LAN when they're connect, just unable to reach each other.
Any thoughts/ideas would be very much appreciated.
Thanks,
Rich
Solved! Go to Solution.
03-26-2020 05:37 AM - edited 03-26-2020 05:53 AM
The first NAT rule ensures any traffic from the "inside" to the VPNPOOL on the "outside" interface is not natted. All RAVPN traffic will be sourced from the "outside", so you will need a rule from outside to outside....
...You will need a NAT exemption rule such as folllows (assuming the object VPNPOOL is the correct object)
nat (outside,outside) source static VPNPOOL VPNPOOL destination static VPNPOOL VPNPOOL no-proxy-arp
If you are split tunneling, then ensure the VPNPOOL subnet tunnelled back to the ASA/FTD.
You should also ensure that there is no host based firewall turned on the Windows computers that could also block communication.
If you have all of this in place and it still does not work please provide your configuration and the output of "route print" from your Windows computer once connected to the VPN tunnel.
HTH
03-25-2020 04:59 PM
03-25-2020 06:05 PM
Thank you for the reply, adding the 'same-security-traffic' command did not resolve my issue. Here's the output of my NAT rules:
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static VPNPOOL VPNPOOL no-proxy-arp route-lookup
translate_hits = 59468351, untranslate_hits = 64333934
2 (inside) to (outside) source static NETWORK_OBJ_172.22.0.0_16 NETWORK_OBJ_172.22.0.0_16 destination static NETWORK_OBJ_172.24.0.0_16 NETWORK_OBJ_172.24.0.0_16 no-proxy-arp route-lookup
translate_hits = 24182709, untranslate_hits = 26425120
3 (inside) to (outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_172.24.0.0_16 NETWORK_OBJ_172.24.0.0_16 no-proxy-arp route-lookup
translate_hits = 244452, untranslate_hits = 275348
I'm not as sharp on the ASA firewall - Do the rules above imply I'm NAT'ing the VPN pool?
Thank you!
03-26-2020 05:37 AM - edited 03-26-2020 05:53 AM
The first NAT rule ensures any traffic from the "inside" to the VPNPOOL on the "outside" interface is not natted. All RAVPN traffic will be sourced from the "outside", so you will need a rule from outside to outside....
...You will need a NAT exemption rule such as folllows (assuming the object VPNPOOL is the correct object)
nat (outside,outside) source static VPNPOOL VPNPOOL destination static VPNPOOL VPNPOOL no-proxy-arp
If you are split tunneling, then ensure the VPNPOOL subnet tunnelled back to the ASA/FTD.
You should also ensure that there is no host based firewall turned on the Windows computers that could also block communication.
If you have all of this in place and it still does not work please provide your configuration and the output of "route print" from your Windows computer once connected to the VPN tunnel.
HTH
03-26-2020 07:27 AM
Hi RJI,
Your help did end up helping me resolve the issue, but it was a two-parter. The command you provided,
nat (outside,outside) source static VPNPOOL VPNPOOL destination static VPNPOOL VPNPOOL no-proxy-arp
was required. I also needed to add the VPN pool's address range to the secure routes list for the AnyConnect client and then packets passed.
Thank you again so much for the assistance!
Rich
03-27-2020 11:38 AM
How did you add "the VPN pool's address range to the secure routes list for the AnyConnect"?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide