Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot connect to other clients in Remote access VPN (ASA)

Hi

I have a cisco ASA 5510 device configred with remote access VPN

I can connect all host on INSIDE and DMZ network, but not able to access other clients connected to same VPN.


For example if I have 2 clients connected to VPN, clientA and clientB, with vpn pool IP addresses as 10.40.170.160 and 10.40.170.161 respectively, these both clients are not able to communicate with each other.

Any help is welcome.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Cannot connect to other clients in Remote access VPN (ASA)

Hi,

I am getting a bit rusty on the old NAT format but what I would try personally would be to configure NAT0 on the "outside" interface.

It seems to me that you currently have Dynamic PAT configured for the VPN users as you have this

nat (outside) 1 10.40.170.0 255.255.255.0

So your traffic is probably matching this.

Only thing I can think of at the moment would be to configure

access-list VPN-CLIENT-NAT0 remark NAT0 for traffic between VPN Clients

access-list VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

nat (outside) 0 access-list VPN-CLIENT-NAT0

I am not sure if it works. I have not really had to configure this on any ASAs running the older software. There has been some similiar questions here on the forums for the new format.

- Jouni

6 REPLIES
Super Bronze

Cannot connect to other clients in Remote access VPN (ASA)

Hi,

To my understanding there is atleast a couple of things you would need configured on the ASA

You will need the command that enables connections to enter and leave through the same interface. The command needed is

same-security-traffic permit intra-interface

You would also need a NAT0 configuration on your external interface to which the VPN Clients connect. This should be a NAT0 from the VPN Pool network to the VPN Pool network.

What software are you running on the ASA?

- Jouni

New Member

Re: Cannot connect to other clients in Remote access VPN (ASA)

Hi

Thanks for answering.

I already have these configurations in place.

same-security-traffic permit intra-interface

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 10.40.170.0 255.255.255.0

What i'm suspecting is that my internal network (INSIDE) is 10.40.220.x. and on ASA i have a static route:

route inside 10.40.0.0 255.255.0.0 10.40.251.1 1

Do you think this is creating problem?

ASA software version is 8.2(2)

Message was edited by: Arthit Chinnachot

Super Bronze

Cannot connect to other clients in Remote access VPN (ASA)

Hi,

I am getting a bit rusty on the old NAT format but what I would try personally would be to configure NAT0 on the "outside" interface.

It seems to me that you currently have Dynamic PAT configured for the VPN users as you have this

nat (outside) 1 10.40.170.0 255.255.255.0

So your traffic is probably matching this.

Only thing I can think of at the moment would be to configure

access-list VPN-CLIENT-NAT0 remark NAT0 for traffic between VPN Clients

access-list VPN-CLIENT-NAT0 permit ip 10.40.170.0 255.255.255.0 10.40.170.0 255.255.255.0

nat (outside) 0 access-list VPN-CLIENT-NAT0

I am not sure if it works. I have not really had to configure this on any ASAs running the older software. There has been some similiar questions here on the forums for the new format.

- Jouni

New Member

Cannot connect to other clients in Remote access VPN (ASA)

Thanks a lot.

I removed

nat (outside) 1 10.40.170.0 255.255.255.0

and added new as suggested by you, it works. will see if everything else is fine also.

Thanks again

Super Bronze

Cannot connect to other clients in Remote access VPN (ASA)

Hi,

The "nat" command that you mention is meant for Internet traffic from VPN Clients through the ASA. This should not cause problems for the VPN Client to VPN Client traffic when you have the NAT0 configuration. Atleast to my understanding.

So if your VPN Clients need Internet connectivity through the ASA then you would need that "nat" command also.

- Jouni

New Member

Cannot connect to other clients in Remote access VPN (ASA)

you are right, i need to keep that to let VPN clients connect to internet.

Thanks

1844
Views
0
Helpful
6
Replies