02-01-2017 02:19 PM - edited 03-12-2019 01:52 AM
Hi All
Hoping someone might be able to help us. We use a Cisco ASA5516 ASA version 9.6(2) and noticed some odd results while monitoring network traffic which we can't explain.
We have around 10 remote offices that connect back to head office through a VPN connection (mix of adsl, vdsl via cisco 880 series routers) back into the firewall. Now we have noticed that if a user sitting on a pc on the network browses the internet the Source IP shows as the IP address of the computer the user is on and the destination ip is the address of the web site, however, anyone who comes in via VPN shows their vpn ip address as the Source IP but rather than the IP address of the site they visit is shows the ip address of our main domain controller.
Is that normal behaviour or is there some part of the configuration that we got wrong?
Cheers
02-02-2017 10:03 AM
Please see the configuration guide for Site to site and Client VPN for ASA 9.6 with the below urls.
http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config.html
http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/vpn/asdm-76-vpn-config.html
Hope to help.
02-02-2017 11:54 AM
many thanks for your reply. The problem is that we didn't setup the asa a third party did it for us and I'm fairly new to asa configuration
02-02-2017 12:26 PM
Where do you see the source and destination ip address of the flow? Do you have some monitoring tool looking into the traffic sent across the network? Ideally only the source of the traffic should change between VPN and internal users. The only other aspect I can think of is that VPN users have some sort of proxy setting sending all traffic to some other location causing the destination to be shown as Domain controller.
02-02-2017 12:38 PM
Hey, thanks for your reply. We use the monitoring available in the ASDM then select Logging under Monitoring. When we test web surfing from any vpn connection be it via the anyconnect client or remote office via the vpn tunnel established via the on site cisco 887va router we see the host pc ip address under source then the main DC ip address rather than the web site address.
I have attached a snip.
02-02-2017 02:41 PM
What you are looking at is the real and mapped source as per the translation rules. It does not show destination:
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html
This syslog id does not show destination ip address. So, your host 10.10.21.192 is getting translated to 210.55.20.210 and source port is 42004.
You need to check other syslogs surrounding the connection to see the actual connection.
-
AJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide