Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA VPN user communication problem

We use ASA 5520's for firewalling and VPN. When users are connected to VPN they are unable to communicate with each other. If i remove the nat associated with the outside interface all works well and they are able to communicate. Only problem is that they can no longer hairpin and use the ASA for internet access. I tried to apply and ACL to the nat but denies aren't allowed.

ASA# sh run nat

nat (outside) 1 10.144.0.0 255.255.0.0

nat (dmz) 0 access-list no_nat0

nat (dmz) 1 172.16.0.0 255.240.0.0

nat (dmz) 1 10.0.0.0 255.0.0.0

ASA# sh run global

global (outside) 1 interface

access-list no_nat0 extended permit ip 10.144.191.0 255.255.255.0 any log

access-list no_nat0 extended permit ip 10.144.190.0 255.255.255.0 any log

access-list no_nat0 extended permit ip any 10.144.190.0 255.255.255.0 log

access-list no_nat0 extended permit ip any 10.144.191.0 255.255.255.0 l

Any help would be greatly appreciated. Thanks in advance.

2 REPLIES
Green

Re: ASA VPN user communication problem

This will allow vpn clients (10.144.x.x) to access the dmz as required.

nat (dmz) 0 access-list no_nat0

access-list no_nat0 extended permit ip any 10.144.191.0 255.255.255.0

access-list no_nat0 extended permit ip any 10.144.190.0 255.255.255.0

This will allow vpn clients (10.144.x.x0 to access the internet via hairpin.

same-security-traffic permit intra-interface

nat (outside) 1 10.144.0.0 255.255.0.0

global (outside) 1 interface

And this may allow your vpn clients to communicate with each other...

nat (outside) 0 access-list nat0outside

access-list nat0outside extended permit ip 10.144.0.0 255.255.0.0 10.144.0.0 255.255.0.0

New Member

Re: ASA VPN user communication problem

Ok great i'll give that a try. Thanks.

350
Views
0
Helpful
2
Replies
CreatePlease to create content