Nat considerations for intra-interface traffic, Setting maximum active ipsec or ssl vpn sessions – Cisco ASA 5505 User Manual

66-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 66 Setting General VPN Parameters

Setting Maximum Active IPsec or SSL VPN Sessions

To configure this feature, use the same-security-traffic command in global configuration mode with its
intra-interface argument.

The command syntax is same-security-traffic permit {inter-interface | intra-interface}.

The following example shows how to enable intra-interface traffic:

hostname(config)# same-security-traffic permit intra-interface

hostname(config)#

Note

You use the same-security-traffic command, but with the inter-interface argument, to permit
communication between interfaces that have the same security level. This feature is not specific to IPsec
connections. For more information, see the “Configuring Interface Parameters” chapter of this guide.

To use hairpinning, you must apply the proper NAT rules to the ASA interface, as discussed in the
following section.

NAT Considerations for Intra-Interface Traffic

For the ASA to send unencrypted traffic back out through the interface, you must enable NAT for the
interface so that publicly routable addresses replace your private IP addresses (unless you already use
public IP addresses in your local IP address pool). The following example applies an interface PAT rule
to traffic sourced from the client IP pool:

hostname(config)# ip local pool clientpool 192.168.0.10-192.168.0.100

hostname(config)# object network vpn_nat

hostname(config-network-object)# subnet 192.168.0.0 255.255.255.0

hostname(config-network-object)# nat (outside,outside) interface

When the ASA sends encrypted VPN traffic back out this same interface, however, NAT is optional. The
VPN-to-VPN hairpinning works with or without NAT. To apply NAT to all outgoing traffic, implement
only the commands above. To exempt the VPN-to-VPN traffic from NAT, add commands (to the example
above) that implement NAT exemption for VPN-to-VPN traffic, such as:

hostname(config)# nat (outside,outside) source static vpn_nat vpn_nat destination static

vpn_nat vpn_nat

For more information on NAT rules, see the “Applying NAT” chapter of this guide.

Setting Maximum Active IPsec or SSL VPN Sessions

To limit VPN sessions to a lower value than the ASA allows, enter the vpn-sessiondb command in global
configuration mode:

vpn-sessiondb {max-anyconnect-premium-or-essentials-limit <number> |

max-other-vpn-limit <number>}

The max-anyconnect-premium-or-essentials-limit keyword specifies the maximum number of
AnyConnect sessions, from 1 to the maximum sessions allowed by the license.

The max-other-vpn-limit keyword specifies the maximum number of VPN sessions other than
AnyConnect client sessions, from 1 to the maximum sessions allowed by the license. This includes the
Cisco VPN client (IPsec IKEv1), Lan-to-Lan VPN, and clientless SSL VPN sessions.

This limit affects the calculated load percentage for VPN Load Balancing.