01-15-2014 07:44 PM - edited 03-11-2019 08:30 PM
Hi Everyone,
For Remote Access VPN here is the current setup--
User Connect to the Corp VPN via Internet it first hits the Corp Internet ASA then it connects to the VPN gateway.
Say PC connects to VPN gateway IP 150.x.x.x.This IP delongs to VPN gateway ASA.
Internet ASA has no connection entry as it just passes the VPN protocol coming from client PC and passes it to the VPN Gateway.
For this design to work Internet ASA needs to pass the IPSEC protocol right?
What config should i look for in Internet ASA that proves that traffic passes through it to build the IPSEC tunnel from user PC to VPN gateway?
Regards
Mahesh
Solved! Go to Solution.
01-16-2014 12:01 AM
Hi,
So the actual VPN Device is behind an ASA that is on the Internet edge.
You could try to run these commands on the Internet ASA when you have confirmed that there are VPN Clients connected
show conn all port 500
show conn all port 4500
show conn all port 10000
show conn all | inc ESP
I would imagine some of the above commands should provide you some output depending how your VPN is configured and if the VPN Client computers are behind NAT when they are connecting to the ASA.
- Jouni
01-16-2014 09:20 AM
Hi,
Did you get any output from the commands for port 4500 and 10000?
I am not quite sure what IP address the 200.x.x.x is?
The output of "show conn all port 500" seems line there is one VPN Client connection perhaps from behind interface "dmz_visitor1" ?
Seems that you have removed the port after the IP 200.x.x.x from the output of
UDP outside XY-LOP-3b:500 dmz_RR 200.x.x.x, idle 0:00:01, bytes 222428187, flags -
If you want, the command
show vpn-sessiondb summary
On the VPN ASA then that should give you a summary of the current amount of VPN Connections to the VPN ASA and the types of VPN connections active.
- Jouni
01-20-2014 12:33 AM
Hi,
To my understading by default the VPN Client uses UDP/500 and/or UDP/4500 in Phase 1 depending on if there is NAT in between the Client and the VPN device. The port TCP/10000 is not something that would be used UNLESS you specifically configure the device and VPN Client for it.
Phase 2 could again use ESP or depending on NAT it would to my understanding encapsulated this traffic with UDP so that the connection could be formed through a NAT device (port UDP/4500)
- Jouni
01-16-2014 12:01 AM
Hi,
So the actual VPN Device is behind an ASA that is on the Internet edge.
You could try to run these commands on the Internet ASA when you have confirmed that there are VPN Clients connected
show conn all port 500
show conn all port 4500
show conn all port 10000
show conn all | inc ESP
I would imagine some of the above commands should provide you some output depending how your VPN is configured and if the VPN Client computers are behind NAT when they are connecting to the ASA.
- Jouni
01-16-2014 08:05 AM
Hi Jouni,
I ran the above commands.
When i ran the below commands on Internet Edge ASA
show conn all port 4500
show conn all port 10000
Then i ran the below command on VPN ASA
sh vpn-sessiondb remote filter p-ipaddress 200.x.x.x
This output shows me all the Remote acess VPN users connected to the VPN gateway.
Does this mean that RA VPN used port number 4500 and 1000?
When i ran the command show conn all port 500 on Internet ASA
below is putput
872 in use, 2180 most used
UDP outside XY-LOP-3b:500 dmz_RR 200.x.x.x, idle 0:00:01, bytes 222428187, flags -
UDP outside 130.x.x.x:500 dmz_visitor1 192.168.211.56:62465, idle 0:00:13, bytes 26578, flags -
when i ran the command sh vpn-sessiondb remote filter p-ipaddress or
sh vpn-sessiondb remote filter a-ipaddress
it does not show any output seems they are not RA VPN session.
Which connection type is this?
Regards
MAhesh
01-16-2014 09:20 AM
Hi,
Did you get any output from the commands for port 4500 and 10000?
I am not quite sure what IP address the 200.x.x.x is?
The output of "show conn all port 500" seems line there is one VPN Client connection perhaps from behind interface "dmz_visitor1" ?
Seems that you have removed the port after the IP 200.x.x.x from the output of
UDP outside XY-LOP-3b:500 dmz_RR 200.x.x.x, idle 0:00:01, bytes 222428187, flags -
If you want, the command
show vpn-sessiondb summary
On the VPN ASA then that should give you a summary of the current amount of VPN Connections to the VPN ASA and the types of VPN connections active.
- Jouni
01-16-2014 09:43 AM
Hi Jouni,
Yes i got output from the commands port port 4500 and 10000.
Those are all Remote VPN connection from the users.
Does this mean RA VPN uses both ports 4500 and 1000?
sh vpn-sessiondb summary
Active Session Summary
Sessions:
Active : Cumulative : Peak Concurrent : Inactive
IPsec LAN-to-LAN : 1 : 1 : 1
Totals : 1 : 1
License Information:
IPsec : 750 Configured : 750 Active : 1 Load : 0%
SSL VPN : 2 Configured : 2 Active : 0 Load : 0%
Active : Cumulative : Peak Concurrent
IPsec : 1 : 1 : 1
Totals : 1 : 1
Active NAC Sessions:
No NAC sessions to display
Active VLAN Mapping Sessions:
No VLAN Mapping sessions to display
Yes you are correct there is 1 VPN client behind the int dmz_visitor1 going to outside world.
REgarding second connection
UDP outside XY-LOP-3b:500 dmz_RR 200.x.x.x:911, idle 0:00:01, bytes 223567425, flags
Seems this connection is coming from behind the interface dmz_RR.
So port 500 also uses VPN client?
Regards
MAhesh
01-20-2014 12:33 AM
Hi,
To my understading by default the VPN Client uses UDP/500 and/or UDP/4500 in Phase 1 depending on if there is NAT in between the Client and the VPN device. The port TCP/10000 is not something that would be used UNLESS you specifically configure the device and VPN Client for it.
Phase 2 could again use ESP or depending on NAT it would to my understanding encapsulated this traffic with UDP so that the connection could be formed through a NAT device (port UDP/4500)
- Jouni
01-20-2014 10:56 AM
Hi Jouni,
I have seen here Phase 1 using UDP 500
Phase 2 type IPSEc over TCP port TCP 10000
Regards
MAhesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: