Objective: To allow traffic between two AnyConnect VPN clients.
Problem Description:
Assume two clients running AnyConnect, have access to the LAN and are split-tunneled to the internet. If you want these two clients to directly communicate with each other there could be some issues. The VPN clients are pingable via the LAN when they are connected but might still be not be able to reach each other.
Solution:
To resolve this issue, follow the steps below:
- NAT exemption rules, commonly used for VPN traffic, allow the ACL permitted traffic to make connections with the protected host.To allow the passage of traffic between two AnyConnect VPNs, add the command
ciscoasa(config)# same-security-traffic permit intra-interface
- All RAVPN traffic will be sourced from the "outside" , so to establish communication between two clients, you need a rule from outside to outside. Add the following NAT exemption rule:
nat (outside,outside) source static VPNPOOL VPNPOOL destination
static VPNPOOL VPNPOOL no-proxy-arp
where, VPNPOOL is the object name.
- Now add the VPN pool's address range to secure routes list of the AnyConnect client
Note:
- If you're splitting the tunnel, ensure that VPNPOOL subnet is tunneled back to the ASA/FTD
- Ensure that host-based firewalls are turned off on Windows systems.
Meta-D: VPN clients are pingable via the LAN when they are connected but might still be not be able to allow traffic between them. You can resolve this with a few steps.
