03-15-2016 05:55 PM
Hi all,
First off - I am no security expert with security products (barely literate at the subject) but I'm running into an issue with a small group of teleworkers that cannot call or video conference with each other. As I was troubleshooting I noticed that none of my vpn users can ping any other vpn users, but can ping the internal network. I'm sure it is a NAT exemption issue, but I cannot narrow it down. I've been through a dozen posts with similar symptoms, but nothing has helped as of yet. Can someone take a look at the attached config and help me identify what I'm missing, I'd greatly appreciate it.
Thanks folks,
MP
03-15-2016 06:08 PM
Hello Mike,
I see two connection profile here:
tunnel-group PCS_VPN type remote-access
tunnel-group SSL type remote-access
Can you please confirm on which specific tunnel-group the user connects out of the
Additionally , I see the pool IPs to be 172.20.1.0 and 172.20.2.0 range whereas the inside interface IP is 172.20.1.1 , that is in the same range. Just a suggestion that this kind of setup creates issues so it is suggested that you use a different subnet fo pool range.
Lastly, if you could confirm which IP the VPN users are not able to connect for reference, that will be helpful
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-15-2016 06:22 PM
Thanks for the reply Dinesh!
The tunnel-group PCS_VPN is what the users are connecting in over. The SSL was for some remote phones that are no longer in use.
I appreciate the advise about the different IP pools for the VPN users, i was trying to keep it simple since I'm so unfamiliar, so it wouldn't surprise me if it caused some issues. I will look into changing the VPN ranges in the future.
Also - i should have provided this info in the original post, here are the subnet breakdown.
External - 192.168.1.X
Internal Data subnet - 172.20.1.X
Internal Voice subnet - 172.20.2.X
Thanks,
Mike P.
03-16-2016 06:45 PM
Just to close the loop on this. I was tinkering around this evening and found the following command that corrected this.
"same-security-traffic permit intra-interface"
It appears that the ASA5506 doesn't like traffic entering and exiting the same interface without that command.
Thanks!
Mike P.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide