Cisco ASA Remote Access VPN

Lessons Discussion
34

Hi @sclarke1210,

You won’t see a tunnel interface directly. If you want to verify that a user has connected and see the IP address that was assigned from the VPN pool, it’s best to use these two commands:

ASA# show crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

2   IKE Peer: 62.44.197.140
    Type    : user            Role    : responder 
    Rekey   : no              State   : AM_ACTIVE

Above you can see that a user has connected. The IP addresses you can see below:

ASA# show crypto ipsec sa user renemolenaar
username: renemolenaar
    Crypto map tag: RMCS_VPN, seq num: 10, local addr: 1.2.3.4

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/0/0)
      current_peer: 62.44.197.140, username: renemolenaar
      dynamic allocated peer ip: 192.168.1.100
      dynamic allocated peer ip(ipv6): 0.0.0.0

      #pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67
      #pkts decaps: 75, #pkts decrypt: 75, #pkts verify: 75
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 67, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.2.3.4/4500, remote crypto endpt.: 62.44.197.140/6967
      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 029C51AC
      current inbound spi : 323F5F7F
              
    inbound esp sas:
      spi: 0x323F5F7F (843014015)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 4460544, crypto-map: RMCS_VPN
         sa timing: remaining key lifetime (sec): 28722
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x029C51AC (43798956)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 4460544, crypto-map: RMCS_VPN
         sa timing: remaining key lifetime (sec): 28722
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Above you can see the dynamic allocated peer ip, which is the IP address from the VPN pool.

Rene

1 Like