VPN Client to VPN Client Connectivity

Unanswered Question
Sep 19th, 2008

I believe this question has been addressed before, but I need clarification. Can VPN clients terminated by the same device (ASA) who obviously sit on the same subnet, commnicate directly with one another? In my current setup I cannot ping or browse between connected clients. I need traffic between them to have my IP Communicators call and speak to each other successfully.

Will Rate Posts.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
acomiskey Fri, 09/19/2008 - 11:16

Without seeing a config I would suggest adding....

same-security-traffic permit intra-interface

Also check vpn client firewall.

mparella Fri, 09/19/2008 - 11:30

Thanks a lot for your help. I did some research on the command you sent me and the "hairpinning" sounds like exaclty what I am looking for.

I will give it off production hours.

Thanks again.

erich.crosswhite Fri, 09/26/2008 - 07:02

mparella

Were you able to find a solution to this problem? I am looking for a solution to this exact problem and have found nothing that's helped so far.

mparella Fri, 09/26/2008 - 07:20

Yes, it now works for us, but I had to open a TAC case to really get to the bottom of things and clear it up.

Basically you enter the "same-security-traffic permit intra-interface" command in global config. I found out you also have to include the network of the vpn pool on the split-tunneling ACl for the split tunnel network list that you want to be able to do this. My vpn pool is 172.25.1.0 /24, so my statement was:

Access-list ABC_splitTunnelACL standard permit 172.25.1.0 255.255.255.0

I could then ping from client to client. I hope this makes sense.

maldavis3697 Thu, 03/05/2009 - 09:15

Hello. I just found this post and I need to accomplish the same thing (two vpn clients communicating directly with each other). I found a document that talked about setting up split tunneling through group policy, tunnel group policy and an ACL defining the internal network. From what you said it sounds as if the ACL should actually define the addresses from the VPN pool. What commands did you have to use to get this to work and could you please confirm that you used the VPN pool addresses for the ACL and not the internal network. Using the VPN pool seems like it should work (i had been wondering about using the internal addresses) but I just wanted to know for sure.

After you defined the split tunneling then you put in the command "same-security-traffic permit intra-interface" and it worked?

Thanks much!

Actions

This Discussion