ASA VPN user communication problem

Unanswered Question

We use ASA 5520's for firewalling and VPN. When users are connected to VPN they are unable to communicate with each other. If i remove the nat associated with the outside interface all works well and they are able to communicate. Only problem is that they can no longer hairpin and use the ASA for internet access. I tried to apply and ACL to the nat but denies aren't allowed.


ASA# sh run nat

nat (outside) 1 10.144.0.0 255.255.0.0

nat (dmz) 0 access-list no_nat0

nat (dmz) 1 172.16.0.0 255.240.0.0

nat (dmz) 1 10.0.0.0 255.0.0.0

ASA# sh run global

global (outside) 1 interface


access-list no_nat0 extended permit ip 10.144.191.0 255.255.255.0 any log

access-list no_nat0 extended permit ip 10.144.190.0 255.255.255.0 any log

access-list no_nat0 extended permit ip any 10.144.190.0 255.255.255.0 log

access-list no_nat0 extended permit ip any 10.144.191.0 255.255.255.0 l


Any help would be greatly appreciated. Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 10/09/2009 - 06:59
User Badges:
  • Green, 3000 points or more

This will allow vpn clients (10.144.x.x) to access the dmz as required.


nat (dmz) 0 access-list no_nat0

access-list no_nat0 extended permit ip any 10.144.191.0 255.255.255.0

access-list no_nat0 extended permit ip any 10.144.190.0 255.255.255.0


This will allow vpn clients (10.144.x.x0 to access the internet via hairpin.


same-security-traffic permit intra-interface

nat (outside) 1 10.144.0.0 255.255.0.0

global (outside) 1 interface


And this may allow your vpn clients to communicate with each other...


nat (outside) 0 access-list nat0outside

access-list nat0outside extended permit ip 10.144.0.0 255.255.0.0 10.144.0.0 255.255.0.0

Actions

This Discussion