Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Capturing traffic going in IPSEC tunnel

 

Hi Everyone,

 

Our Internet ASA is config to allow ipsec connections going from DMZ to internet.

We have some vendors coming in and they need VPN access to their company network while working in our DMZ network.

 

As IPSEC tunnel is all secure.IF vendor access say some servers and they have  private IP address in their network is there any way that i can see in our ASA connections open for them?

 

Regards

MAhesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

If they're initiating remote

If they're initiating remote access VPN connections from servers in your DMZ you would only see tcp/443 traffic (SSL) (or possibly IPsec over protocol 50 if they are using an IPsec VPN).

That's assuming you allow all connections initiated from the DMZ to the outside. If you restrict them with an access-list then they would need to have you explicitly allow the connection.

Hall of Fame Super Silver

If they access it via a VPN

If they access it via a VPN then your ASA will show the connection to their VPN device and not the connections within that SSL VPN  - those would all be encapsulated in the tunnel.

If they were accessing the remote server directly (not via a VPN) then yes you would see the server address in your "show conn" output.

I assume you use 10.10.10.1 as a made-up example as that private IP address would never be routed freely on the Internet - only within a private network or tunneled within a VPN.

3 REPLIES
Hall of Fame Super Silver

If they're initiating remote

If they're initiating remote access VPN connections from servers in your DMZ you would only see tcp/443 traffic (SSL) (or possibly IPsec over protocol 50 if they are using an IPsec VPN).

That's assuming you allow all connections initiated from the DMZ to the outside. If you restrict them with an access-list then they would need to have you explicitly allow the connection.

New Member

 Hi Marvin, Say they are

 

Hi Marvin,

 

Say they are accessing the server in their network and it talks on port sat 3000.

There is Rule in ASA that allows connection from DMZ to  outside on port 3000.

This server has say IP 10.10.10.1.

Need to confirm this conn will not be shown in our Internet ASA right?

 

Regards

MAhesh

Hall of Fame Super Silver

If they access it via a VPN

If they access it via a VPN then your ASA will show the connection to their VPN device and not the connections within that SSL VPN  - those would all be encapsulated in the tunnel.

If they were accessing the remote server directly (not via a VPN) then yes you would see the server address in your "show conn" output.

I assume you use 10.10.10.1 as a made-up example as that private IP address would never be routed freely on the Internet - only within a private network or tunneled within a VPN.

44
Views
0
Helpful
3
Replies
CreatePlease login to create content