Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1884
Views
0
Helpful
6
Replies

Traffic flow from Client PC to VPN Gateway

Go to solution
mahesh18
Level 6
Level 6

‎01-15-2014 07:44 PM - edited ‎03-11-2019 08:30 PM

Hi Everyone,

For Remote Access VPN here is the current setup--

User Connect to the Corp VPN  via Internet it first hits the Corp Internet ASA then it connects to the VPN gateway.

Say PC connects to VPN gateway IP 150.x.x.x.This IP delongs to VPN gateway ASA.

Internet ASA has no connection entry as it just passes the VPN protocol coming from client PC and passes it to the VPN Gateway.

For this design to work Internet ASA needs to pass the IPSEC protocol right?

What config should i look for in Internet ASA that proves that traffic passes through it to build the IPSEC tunnel from user PC to VPN gateway?

Regards

Mahesh

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-16-2014 12:01 AM

Hi,

So the actual VPN Device is behind an ASA that is on the Internet edge.

You could try to run these commands on the Internet ASA when you have confirmed that there are VPN Clients connected

show conn all port 500

show conn all port 4500

show conn all port 10000

show conn all | inc ESP

I would imagine some of the above commands should provide you some output depending how your VPN is configured and if the VPN Client computers are behind NAT when they are connecting to the ASA.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-16-2014 09:20 AM

Hi,

Did you get any output from the commands for port 4500 and 10000?

I am not quite sure what IP address the 200.x.x.x is?

The output of "show conn all port 500" seems line there is one VPN Client connection perhaps from behind interface "dmz_visitor1" ?

Seems that you have removed the port after the IP 200.x.x.x from the output of

UDP outside XY-LOP-3b:500 dmz_RR 200.x.x.x, idle 0:00:01, bytes 222428187, flags -

If you want, the command

show vpn-sessiondb summary

On the VPN ASA then that should give you a summary of the current amount of VPN Connections to the VPN ASA and the types of VPN connections active.

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-20-2014 12:33 AM

Hi,

To my understading by default the VPN Client uses UDP/500 and/or UDP/4500 in Phase 1 depending on if there is NAT in between the Client and the VPN device. The port TCP/10000 is not something that would be used UNLESS you specifically configure the device and VPN Client for it.

Phase 2 could again use ESP or depending on NAT it would to my understanding encapsulated this traffic with UDP so that the connection could be formed through a NAT device (port UDP/4500)

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-16-2014 12:01 AM

Hi,

So the actual VPN Device is behind an ASA that is on the Internet edge.

You could try to run these commands on the Internet ASA when you have confirmed that there are VPN Clients connected

show conn all port 500

show conn all port 4500

show conn all port 10000

show conn all | inc ESP

I would imagine some of the above commands should provide you some output depending how your VPN is configured and if the VPN Client computers are behind NAT when they are connecting to the ASA.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎01-16-2014 08:05 AM

Hi Jouni,

I ran the above commands.

When i ran the below commands on Internet Edge ASA

show conn all port 4500

show conn all port 10000

Then i ran the below command on VPN ASA

sh vpn-sessiondb remote filter  p-ipaddress 200.x.x.x

This output shows me all the Remote acess VPN users connected to the VPN gateway.

Does this mean that RA VPN used port number 4500 and 1000?

When i ran the command  show conn all port 500  on Internet ASA

below is putput

872 in use, 2180 most used

UDP outside XY-LOP-3b:500 dmz_RR 200.x.x.x, idle 0:00:01, bytes 222428187, flags -

UDP outside 130.x.x.x:500 dmz_visitor1 192.168.211.56:62465, idle 0:00:13, bytes 26578, flags -

when i ran the command  sh vpn-sessiondb remote filter p-ipaddress or

                                          sh vpn-sessiondb remote  filter a-ipaddress

it does not show any output seems they are not RA VPN session.

Which connection type is this?

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-16-2014 09:20 AM

Hi,

Did you get any output from the commands for port 4500 and 10000?

I am not quite sure what IP address the 200.x.x.x is?

The output of "show conn all port 500" seems line there is one VPN Client connection perhaps from behind interface "dmz_visitor1" ?

Seems that you have removed the port after the IP 200.x.x.x from the output of

UDP outside XY-LOP-3b:500 dmz_RR 200.x.x.x, idle 0:00:01, bytes 222428187, flags -

If you want, the command

show vpn-sessiondb summary

On the VPN ASA then that should give you a summary of the current amount of VPN Connections to the VPN ASA and the types of VPN connections active.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎01-16-2014 09:43 AM

Hi Jouni,

Yes i got output from the commands port port 4500 and 10000.

Those are all Remote VPN connection from the users.

Does this mean RA VPN uses both ports 4500 and 1000?

sh vpn-sessiondb summary

Active Session Summary

Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
  IPsec LAN-to-LAN      :       1 :          1 :               1
  Totals                :       1 :          1

License Information:
  IPsec   :    750    Configured :    750    Active :      1    Load :   0%
  SSL VPN :      2    Configured :      2    Active :      0    Load :   0%
                            Active : Cumulative : Peak Concurrent
  IPsec               :          1 :          1 :               1
  Totals              :          1 :          1

Active NAC Sessions:
  No NAC sessions to display

Active VLAN Mapping Sessions:
  No VLAN Mapping sessions to display

Yes you are correct there is 1 VPN client behind the int dmz_visitor1 going to outside world.

REgarding second connection

UDP outside XY-LOP-3b:500 dmz_RR 200.x.x.x:911, idle 0:00:01, bytes 223567425, flags

Seems this connection is coming from behind the interface dmz_RR.

So port 500 also uses VPN client?

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎01-20-2014 12:33 AM

Hi,

To my understading by default the VPN Client uses UDP/500 and/or UDP/4500 in Phase 1 depending on if there is NAT in between the Client and the VPN device. The port TCP/10000 is not something that would be used UNLESS you specifically configure the device and VPN Client for it.

Phase 2 could again use ESP or depending on NAT it would to my understanding encapsulated this traffic with UDP so that the connection could be formed through a NAT device (port UDP/4500)

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎01-20-2014 10:56 AM

Hi Jouni,

I have seen here Phase 1 using UDP 500

Phase 2  type IPSEc over TCP  port  TCP  10000

Regards

MAhesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card