topic Re: Remote access VPN Traffic in Network Security

Remote access VPN Traffic

prakashcsco — Thu, 21 Apr 2022 13:17:19 GMT

In a scenario where we are using Remote access VPN with a Full tunnel and the user trying to reach 8.8.8.8

His LAN subnet 10.1.1.10/24. I want to know what will be the source and destination of the packet

Re: Remote access VPN Traffic

Rob Ingram — Thu, 21 Apr 2022 13:16:14 GMT

@prakashcsco with a full tunnel VPN you'd have to hairpin the traffic and route back out the outside interface, therefore the source would be the IP address of the ASA or if using a NAT pool a public IP address in the pool.

You'd need to configure from the CLI "same-security-traffic permit intra-interface" to allow the hairpin and a NAT rule.

Re: Remote access VPN Traffic

prakashcsco — Thu, 21 Apr 2022 13:21:06 GMT

Thanks Rob, i have attached a picture . so in case a user in home with ip 192.168.1.10 connects to vpn and gets a Ip of 10.1.1.10. so now he tries to sent a echo request to 8.8.8.8 . if in case we do a packet capture in his lan card. what will be the source and destination?

Re: Remote access VPN Traffic

Rob Ingram — Thu, 21 Apr 2022 13:25:20 GMT

@prakashcsco if you are capturing the traffic on the local LAN, you'd only see communication from the local PC IP address destined to the ASA (100.100.100.100)

Re: Remote access VPN Traffic

prakashcsco — Thu, 21 Apr 2022 13:32:21 GMT

Got it. so the user's home LAN IP is 192.168.1.10 and he once connected to any connect he gets a 10.1.1.10.

so the source will be 10.1.1.10 and the destination will be 100.100.100.100 for reaching 8.8.8.8. Am i correct?

Re: Remote access VPN Traffic

Rob Ingram — Thu, 21 Apr 2022 13:32:54 GMT

Source 192.168.1.10 and destination 100.100.100.100.

Re: Remote access VPN Traffic

MHM Cisco World — Thu, 21 Apr 2022 14:35:45 GMT

there is two IP header
one outer header is public IP of ASA and Public IP of Client
the inner header is source is your client IP get from ASA pool and destination is what client ping inside.

if it ping 8.8.8.8 then

Outer is same
Inner is source is your client IP get from ASA pool and destination is 8.8.8.8,
here you need NAT the client IP to Public IP of ASA so it appear finally that Public IP of ASA is ping 8.8.8.8.