Cisco Support Community
Community Member

How to permit LAN users to access RA VPN users


Is it possible to configure the ASA to allow servers on the LAN (inside) to initiate traffic (e.g. for monitoring) towards users connected via Remote Access VPN? If so, I'd appreciate it if you can send me the link to this documentation/feature or if you have a sample working configuration that I can test.



Cisco Employee

Re: How to permit LAN users to access RA VPN users

Not with Remote Access VPN. Remote Access VPN needs to be initiated by the VPN users which normally is from the Internet/Outside.

If you need to initiate the VPN from LAN users towards a remote site, then you can only configure LAN-to-LAN VPN tunnel, and the VPN needs to be terminated on a device that supports VPN termination. You can't terminate the VPN to a user PC unfortunately.

Community Member

Re: How to permit LAN users to access RA VPN users

This is what I thought was always the case. However, I'm trying to com

pare Cisco's capability with Chekpoint's claim that this is possible

on their platform by simply allowing LAN to remote users' VPN

IP Pool in the firewall rules. Checkpoint uses this concept of Office Mode to assign remote

VPN users' IP addresses, but seems to differ somewhat from Cisco's implementation. The reason I'm posting this is that I

am planning to replace the CP cluster with ASA's. But if CP can do this and the ASA cannot, then there is no way for

a Contact Center's supervisor to monitor call recording sessions being handled by call center agents working remotely.

I'm no CP expert, but while testing this in a lab environment, I could not get any traffic from the LAN to initiate a connection to the VPN Pool. So maybe you're right.

Thanks for any response.


Cisco Employee

Re: How to permit LAN users to access RA VPN users

Well, for the Contact Center Agent to work remotely from the first place, he/she should already be connected via VPN, which means, the Contact Center Agent would have already connected via VPN Client to the HQ. Unless they are using different technology to connect to the HQ. How are they connecting at the moment?

Once the Contact Center Agent is connected, they would have been assigned an ip address from the VPN termination device from an ip pool. That is how you would differentiate different VPN Client/remote VPN access users. After they are connected via VPN Client, HQ LAN should then be able to connect to the VPN Client's PC via its assigned IP from the ip pool.

After the VPN is connected, to initiate traffic from HQ LAN, you would need to check if personal firewall, etc is allowing access to the user's PC as most times personal firewall is not allowing inbound connection to the PC. You would also need to check if the HQ LAN interface on the ASA has ACL that might be blocking access from HQ LAN towards the IP Pool subnet.

Hope that makes sense.

Community Member

Re: How to permit LAN users to access RA VPN users

Hi Jennifer,

Yes, this setup is simply remote agents connecting to the HQ FW with VPN client software. So to clarify with one last question, is this the default in ASA's that the HQ LAN would be allowed to initiate TCP conneciton towards a VPN client's IP address? Because I thought that the default setup using the RA VPN Wizard in PDM/ASDM is that the ASA NAT's the remote agent's IP address? Eg if the VPN Pool hands out to the remote PC, is there any ACL that needs to be modified to allow the LAN to reach this NAT/PAT'ed address? If I need to define an ACL, would that be simply attaching it inbound to the LAN's interface?

Thanks again for the clarification.


Cisco Employee

Re: How to permit LAN users to access RA VPN users

No, normally you would already configure NAT exemption for VPN connection, ie: NAT exemption would need to be manually configured to exempt traffic from HQ LAN to be exempted from NATing towards VPN Client IP Pool and vice versa. So from ASA perspective, once traffic has been decrypted, it will be from IP Pool subnet towards HQ LAN, and there won't be any NATing. This is how people configured normally, however, you can also NAT those traffic if you like.

Here is a sample configuration that shows you the NAT exemption configuration:

From the above sample configuration, the NAT exemption is configured via:

nat (inside) 0 access-list 101

access-list 101 extended permit ip

CreatePlease to create content