topic ASA5516 & VPN help in Network Security

ASA5516 & VPN help

timrichards1 — Tue, 12 Mar 2019 08:52:01 GMT

Hi All

Hoping someone might be able to help us. We use a Cisco ASA5516 ASA version 9.6(2) and noticed some odd results while monitoring network traffic which we can't explain.

We have around 10 remote offices that connect back to head office through a VPN connection (mix of adsl, vdsl via cisco 880 series routers) back into the firewall. Now we have noticed that if a user sitting on a pc on the network browses the internet the Source IP shows as the IP address of the computer the user is on and the destination ip is the address of the web site, however, anyone who comes in via VPN shows their vpn ip address as the Source IP but rather than the IP address of the site they visit is shows the ip address of our main domain controller.

Is that normal behaviour or is there some part of the configuration that we got wrong?

Cheers

Please see the configuration

syeda3 — Thu, 02 Feb 2017 18:03:38 GMT

Please see the configuration guide for Site to site and Client VPN for ASA 9.6 with the below urls.

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/vpn/asdm-76-vpn-config.html

Hope to help.

many thanks for your reply.

timrichards1 — Thu, 02 Feb 2017 19:54:14 GMT

many thanks for your reply. The problem is that we didn't setup the asa a third party did it for us and I'm fairly new to asa configuration

Where do you see the source

Rahul Govindan — Thu, 02 Feb 2017 20:26:45 GMT

Where do you see the source and destination ip address of the flow? Do you have some monitoring tool looking into the traffic sent across the network? Ideally only the source of the traffic should change between VPN and internal users. The only other aspect I can think of is that VPN users have some sort of proxy setting sending all traffic to some other location causing the destination to be shown as Domain controller.

Hey, thanks for your reply.

timrichards1 — Thu, 02 Feb 2017 20:38:58 GMT

Hey, thanks for your reply. We use the monitoring available in the ASDM then select Logging under Monitoring. When we test web surfing from any vpn connection be it via the anyconnect client or remote office via the vpn tunnel established via the on site cisco 887va router we see the host pc ip address under source then the main DC ip address rather than the web site address.

I have attached a snip.

What you are looking at is

Ajay Saini — Thu, 02 Feb 2017 22:41:55 GMT

What you are looking at is the real and mapped source as per the translation rules. It does not show destination:

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html

This syslog id does not show destination ip address. So, your host 10.10.21.192 is getting translated to 210.55.20.210 and source port is 42004.

You need to check other syslogs surrounding the connection to see the actual connection.