We use ASA 5520's for firewalling and VPN. When users are connected to VPN they are unable to communicate with each other. If i remove the nat associated with the outside interface all works well and they are able to communicate. Only problem is that they can no longer hairpin and use the ASA for internet access. I tried to apply and ACL to the nat but denies aren't allowed.
ASA# sh run nat
nat (outside) 1 10.144.0.0 255.255.0.0
nat (dmz) 0 access-list no_nat0
nat (dmz) 1 172.16.0.0 255.240.0.0
nat (dmz) 1 10.0.0.0 255.0.0.0
ASA# sh run global
global (outside) 1 interface
access-list no_nat0 extended permit ip 10.144.191.0 255.255.255.0 any log
access-list no_nat0 extended permit ip 10.144.190.0 255.255.255.0 any log
access-list no_nat0 extended permit ip any 10.144.190.0 255.255.255.0 log
access-list no_nat0 extended permit ip any 10.144.191.0 255.255.255.0 l
Any help would be greatly appreciated. Thanks in advance.