Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
929
Views
5
Helpful
6
Replies

Remote access VPN Traffic

Go to solution
prakashcsco
Level 1
Level 1

‎04-21-2022 06:12 AM - edited ‎04-21-2022 06:17 AM

In a scenario where we are using Remote access VPN with a Full tunnel and the user trying to reach 8.8.8.8

 

His LAN subnet 10.1.1.10/24. I want to know what will be the source and destination of the packet

 

Preview file
36 KB
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to prakashcsco

‎04-21-2022 06:32 AM

Source 192.168.1.10 and destination 100.100.100.100.

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to prakashcsco

‎04-21-2022 07:35 AM

there is two IP header 
one outer header is public IP of ASA and Public IP of Client 
the inner header is source is your client IP get from ASA pool and destination is what client ping inside. 

if it ping 8.8.8.8 then 

Outer is same 
Inner is source is your client IP get from ASA pool and destination is 8.8.8.8, 
here you need NAT the client IP to Public IP of ASA so it appear finally that Public IP of ASA is ping 8.8.8.8.

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2022 06:16 AM

@prakashcsco with a full tunnel VPN you'd have to hairpin the traffic and route back out the outside interface, therefore the source would be the IP address of the ASA or if using a NAT pool a public IP address in the pool.

 

You'd need to configure from the CLI "same-security-traffic permit intra-interface" to allow the hairpin and a NAT rule.

0 Helpful

Go to solution
prakashcsco
Level 1
Level 1
In response to Rob Ingram

‎04-21-2022 06:21 AM

Thanks Rob,  i have attached a picture .  so in case a user in home with ip 192.168.1.10 connects to vpn and gets a Ip of 10.1.1.10. so now he tries to sent a echo request to 8.8.8.8 . if in case we do a packet capture in his lan card. what will be the source and destination? 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to prakashcsco

‎04-21-2022 06:25 AM

@prakashcsco if you are capturing the traffic on the local LAN, you'd only see communication from the local PC IP address destined to the ASA (100.100.100.100)

0 Helpful

Go to solution
prakashcsco
Level 1
Level 1
In response to Rob Ingram

‎04-21-2022 06:30 AM - edited ‎04-21-2022 06:32 AM

Got it. so the user's home LAN IP is 192.168.1.10  and he once connected to any connect he gets a 10.1.1.10. 

 

so the source will be 10.1.1.10 and the destination will be 100.100.100.100  for reaching 8.8.8.8. Am i correct?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to prakashcsco

‎04-21-2022 06:32 AM

Source 192.168.1.10 and destination 100.100.100.100.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to prakashcsco

‎04-21-2022 07:35 AM

there is two IP header 
one outer header is public IP of ASA and Public IP of Client 
the inner header is source is your client IP get from ASA pool and destination is what client ping inside. 

if it ping 8.8.8.8 then 

Outer is same 
Inner is source is your client IP get from ASA pool and destination is 8.8.8.8, 
here you need NAT the client IP to Public IP of ASA so it appear finally that Public IP of ASA is ping 8.8.8.8.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card