Solved: How does Anyconnect work from a TCP Layer 4 Perspective?

Hawk · ‎08-03-2018

So from what I understand the ASA uses TCP port 443 by default for Anyconnect SSL VPN. With this in mind say that a remote user sitting on their home internet connection wants to connect to their office using anyconnect to look at some files. If I were to run a capture on that remote computer would it look exactly the same as if the remote computer was going to https://cnn.com? I know the source & destination would change but as far as everything else.

Rahul Govindan · ‎08-05-2018

The Anyconnect enables a virtual adapter on the client machine. On your wireless/Wired adapter, you should see tcp/udp 443 traffic to the ASA headend. If you run a packet capture on the virtual adapter, you should see the actual data. Newer versions on Wireshark don't seem to capture this traffic well as far as I remember.

All allowed vpn traffic on the client is sourced from Virtual adapter after a successful vpn connection. Once encapsulated and encrypted, this is then routed through your physical adapter.

View solution in original post

gbekmezi-DD · ‎08-03-2018

It would be more chatty, but pretty much. All SSL encrypted.

Rahul Govindan · ‎08-05-2018

The Anyconnect enables a virtual adapter on the client machine. On your wireless/Wired adapter, you should see tcp/udp 443 traffic to the ASA headend. If you run a packet capture on the virtual adapter, you should see the actual data. Newer versions on Wireshark don't seem to capture this traffic well as far as I remember.

All allowed vpn traffic on the client is sourced from Virtual adapter after a successful vpn connection. Once encapsulated and encrypted, this is then routed through your physical adapter.

Dennis Mink · ‎08-05-2018

funny you mention cnn.com

i did a post on tls and wreshark a while a go

https://ciscoshizzle.blogspot.com/search?q=TLS

any connect would not be much different

Please remember to rate useful posts, by clicking on the stars below.