07-17-2008 05:48 PM - last edited on 03-25-2019 05:40 PM by ciscomoderator
Hi All,
I have 2 5520 ASAs for serving remote access VPN sessions. I have configured the switch ports for both ASAs in a community private vlan.
I have a need where the VPN clients need to talk to each other. If I reconfigure the ASA port to a regular switchport vlan, will the clients be able to talk to each other?
Does the ASA respond to ARP requests? Also, do I need to permit same security traffic in order for the clients to talk?
thanks,
07-18-2008 09:36 AM
Hello Meena,
"If I reconfigure the ASA port to a regular switchport vlan"
Why would you need that? An Interface needs and IP address to have an arp table, or function as proxy-arp as requested.
If all you need is connectivity between outside VPN clients, all you need is same-security-traffic permit intra-interface
Dont know if your ASAs are in failover mode, but assuming not, and if you need VPN client connected to ASAx to be able to talkt to VPN client connected to Y, all you need is a simple static route in firewalls.
Please describe more, if I have misunderstood the issue.
Regards
07-21-2008 06:43 AM
Yes, I misunderstood that hair-pinning the traffic and allowing the same-security interface traffic are same. I did not want to hair-pin the traffic but now I realized that they are 2 different things.
Also, the ASAs are in a cluster and so they are in a community vlan for the VCA (hearbeats) to work.
I had to permit the same security interface traffic permitted to solve the problem.
Thanks for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: