05-01-2014 10:50 AM - edited 02-21-2020 07:37 PM
Hi Everyone,
Our Internet ASA is config to allow ipsec connections going from DMZ to internet.
We have some vendors coming in and they need VPN access to their company network while working in our DMZ network.
As IPSEC tunnel is all secure.IF vendor access say some servers and they have private IP address in their network is there any way that i can see in our ASA connections open for them?
Regards
MAhesh
Solved! Go to Solution.
05-01-2014 11:27 AM
If they're initiating remote access VPN connections from servers in your DMZ you would only see tcp/443 traffic (SSL) (or possibly IPsec over protocol 50 if they are using an IPsec VPN).
That's assuming you allow all connections initiated from the DMZ to the outside. If you restrict them with an access-list then they would need to have you explicitly allow the connection.
05-01-2014 12:14 PM
If they access it via a VPN then your ASA will show the connection to their VPN device and not the connections within that SSL VPN - those would all be encapsulated in the tunnel.
If they were accessing the remote server directly (not via a VPN) then yes you would see the server address in your "show conn" output.
I assume you use 10.10.10.1 as a made-up example as that private IP address would never be routed freely on the Internet - only within a private network or tunneled within a VPN.
05-01-2014 11:27 AM
If they're initiating remote access VPN connections from servers in your DMZ you would only see tcp/443 traffic (SSL) (or possibly IPsec over protocol 50 if they are using an IPsec VPN).
That's assuming you allow all connections initiated from the DMZ to the outside. If you restrict them with an access-list then they would need to have you explicitly allow the connection.
05-01-2014 11:37 AM
Hi Marvin,
Say they are accessing the server in their network and it talks on port sat 3000.
There is Rule in ASA that allows connection from DMZ to outside on port 3000.
This server has say IP 10.10.10.1.
Need to confirm this conn will not be shown in our Internet ASA right?
Regards
MAhesh
05-01-2014 12:14 PM
If they access it via a VPN then your ASA will show the connection to their VPN device and not the connections within that SSL VPN - those would all be encapsulated in the tunnel.
If they were accessing the remote server directly (not via a VPN) then yes you would see the server address in your "show conn" output.
I assume you use 10.10.10.1 as a made-up example as that private IP address would never be routed freely on the Internet - only within a private network or tunneled within a VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide