Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
480
Views
0
Helpful
5
Replies

ASA5516 & VPN help

timrichards1
Level 1
Level 1

‎02-01-2017 02:19 PM - edited ‎03-12-2019 01:52 AM

Hi All

Hoping someone might be able to help us. We use a Cisco ASA5516 ASA version 9.6(2) and noticed some odd results while monitoring network traffic which we can't explain.

We have around 10 remote offices that connect back to head office through a VPN connection (mix of adsl, vdsl via cisco 880 series routers) back into the firewall. Now we have noticed that if a user sitting on a pc on the network browses the internet the Source IP shows as the IP address of the computer the user is on and the destination ip is the address of the web site, however, anyone who comes in via VPN shows their vpn ip address as the Source IP but rather than the IP address of the site they visit is shows the ip address of our main domain controller.

Is that normal behaviour or is there some part of the configuration that we got wrong?

Cheers

Labels:
0 Helpful
5 Replies 5

timrichards1
Level 1
Level 1
In response to syeda3

‎02-02-2017 11:54 AM

many thanks for your reply. The problem is that we didn't setup the asa a third party did it for us and I'm fairly new to asa configuration

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to timrichards1

‎02-02-2017 12:26 PM

Where do you see the source and destination ip address of the flow? Do you have some monitoring tool looking into the traffic sent across the network? Ideally only the source of the traffic should change between VPN and internal users. The only other aspect I can think of is that VPN users have some sort of proxy setting sending all traffic to some other location causing the destination to be shown as Domain controller.

0 Helpful

timrichards1
Level 1
Level 1
In response to Rahul Govindan

‎02-02-2017 12:38 PM

Hey, thanks for your reply. We use the monitoring available in the ASDM then select Logging under Monitoring. When we test web surfing from any vpn connection be it via the anyconnect client or remote office via the vpn tunnel established via the on site cisco 887va router we see the host pc ip address under source then the main DC ip address rather than the web site address.

I have attached a snip.

Preview file
29 KB
0 Helpful

Ajay Saini
Level 7
Level 7
In response to timrichards1

‎02-02-2017 02:41 PM

What you are looking at is the real and mapped source as per the translation rules. It does not show destination:

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html

This syslog id does not show destination ip address. So, your host 10.10.21.192 is getting translated to 210.55.20.210 and source port is 42004.

You need to check other syslogs surrounding the connection to see the actual connection.

-

AJ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card