cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
599
Views
5
Helpful
6
Replies

VPN users unable to use IP phone communicators communicate with eachother

leo_zidane
Level 1
Level 1

I have an ASA 5510 Security Plus Appliance which enabled with Remote VPN access. I faced a problem is that my VPN users using IP phone communicators are unable to talk to eachother.

Only when i enable the option < to allow traffic from two or more hosts connected to the same interface> then my VPN users are able to communicate with eachother using IP phone communicators.

However this is a global command as it will be enable for all interfaces i have in the firewall. Is there any work around as enabling this option i feared there is security risk.

Please help me asap as there is urgent.

Thank you

6 Replies 6

Richard Burts
Hall of Fame
Hall of Fame

Leonard

The restriction of not forwarding traffic back out the interface it was received on has been a well known feature of PIX and ASA for a long time. One effect of this is that it prevents two remote VPN users from communicating with each other. There is now the config option (which you used) to allow forwarding back out the interface (or out an interface with the same security level) which allows that communication. You are correct that the command is global and will apply to all interfaces. I believe that the security risk of this is not great. And if your remote users need to communicate with each other through the VPN then it is the only option that you have.

HTH

Rick

HTH

Rick

Thanks Rick. But can i specify the port that i wanted to allow for hosts connected to the same interface to communicate or it is permit any any that cannot be changed?

This is not a security risk. You are just allowing the traffic to go out the same interface from where it entered.

For VPN client, how am i going to specify access rules for them? e.g they are only allowed to access port 80

Rick,

I have the same problem. Is this option available in PIX 6.3(5)? I've searched the Config Guide and the Command Reference and haven't found anything regarding such an option. If it is available I would appreciate a hint.

Thanks,

Mike

Mike

Unfortunately that option does not exist in 6.3(5). It was introduced in 7.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: