Remote Access PCs on the VPN from a PC on the VPN

jbemp · ‎03-22-2024

I have been tasked with granting access to our service desk to be able to use SCCM remote access to remote control PCs that are on the Cisco Secure Client VPN when the service desk pc is also at home on the Cisco Secure Client VPN.

This would be a hairpin since the connection would come in and out the same port. I have seen some reports about adding "same-security-traffic permit intra-interface" (Intra instead of Inter since inter would be to route the traffic out another interface of equal security level)

Would the "same-security-traffic permit intra-interface" command just be on the base of the config or does it need to be within the port config?

Just want to make sure I am looking down the right path, and if there is anything else I might have to do.

Now to throw a wrench in the works. There are some of the users that are on the VPN that have NATs setup so they can access a system that is on the other end of a site to site.

tvotna · ‎03-22-2024

"same-security-traffic permit intra-interface" is a global command and it applies to all interfaces. You also need to disable NAT for VPN traffic, e.g.

nat (outside,outside) source static <AnyConnect-pool-obj> <AnyConnect-pool-obj> destination static <AnyConnect-pool-obj> <AnyConnect-pool-obj> route-lookup

Also, if you use split-tunneling (split-include), you need to include pool subnet into the list (or your split-tunneling ACL can be a supernet for the pool subnet).