Roting between VPN clients.

Unanswered Question
Jan 8th, 2010

How can I configure my ASA to route between VPN clients.

This is necessary due to the need to use IPT between users at Home Office.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Fri, 01/08/2010 - 13:12

What do you mean to route between VPN clients?

You want VPN clients to communicate to each other through the VPN tunnel?

Kent Heide Fri, 01/08/2010 - 14:28

Please elaborate what you are trying to accomplish.

Since you're saying you're going to run IPT (voice) I'm guessing you want this host to host communication due to how RTP works. This is not possible dynamically with Ipsec and not at all with remote access vpn. DMVPN or GET is traditionally used for these scenarios, but the ASA does not support GRE.

nhjorgensen Mon, 01/11/2010 - 01:10

I have a ASA FW which I have all my VPN clients logged into. They are all logged into servers centrally.

However my problem is that these users use Cisco IPT. Calling into the main office is working fine, also breakout to the city line.

But they cannot call each other. I have tested ping between clients and this is not working either.

So basicly the problem is no IP connectivity between VPN clients.



yamramos.tueme Mon, 01/11/2010 - 08:01

If you want to communicate among your clients, make sure that you have 3 things.

1.- Allow 'U' Turn with the following command:  same-security-traffic permit intra-interface

2.- Have a static NAT translation (outside,outside)

3.- If you have split-tunnel configured, make sure that you are sending traffic destined for the pool network accross the VPN Tunnel.

You can give that a try.

Federico Coto F... Mon, 01/11/2010 - 08:40

As Kent said, you cannot make an RTP session between two VPN clients on the same device using IPsec remote client connection.....

I am just wondering, when you try PING connectivity between the two VPN clients, are you trying to reach the other VPN client by his real IP or by his assigned-VPN IP?


This Discussion