Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco ASA 55xx IPSEC traffic capture question

Reply
Thread Tools

Cisco ASA 55xx IPSEC traffic capture question

 
 
Heribert Steuer
Guest
Posts: n/a
 
      02-13-2009
Guys,

when using "no sysopt connection permit-vpn" the traffic arriving
through a ipsec tunnel is sent through the access list bound to the
interface that the ipsec tunnel is bound to (usually the outbound one).

how do I capture traffic that arrives through the ipsec tunnel?

i tried to capture on the outbound interface (that terminals the tunnel)
but there is no traffic captured at all. for my understanding, the
traffic passes the outbound interface with encapsulated traffic,
decrypts it and sends the traffic through the same interface again so
that at least the access lists can match. but that seems not to be the case.

how can i capture traffic that comes through an ipsec tunnel at all?
capturing on the inside interface is not an option as this will not show
any traffic that is blocked, nat'ed or whatever. okay, at least the
traffic shows up on the internal interface, but there must be a way to
see the traffic that really arrives at the ASA.


is there a solution at all?


cheers,
heri
 
Reply With Quote
 
 
 
 
Darren Green
Guest
Posts: n/a
 
      02-14-2009
Heribert Steuer wrote:
> Guys,
>
> when using "no sysopt connection permit-vpn" the traffic arriving
> through a ipsec tunnel is sent through the access list bound to the
> interface that the ipsec tunnel is bound to (usually the outbound one).
>
> how do I capture traffic that arrives through the ipsec tunnel?
>
> i tried to capture on the outbound interface (that terminals the tunnel)
> but there is no traffic captured at all. for my understanding, the
> traffic passes the outbound interface with encapsulated traffic,
> decrypts it and sends the traffic through the same interface again so
> that at least the access lists can match. but that seems not to be the
> case.
>
> how can i capture traffic that comes through an ipsec tunnel at all?
> capturing on the inside interface is not an option as this will not show
> any traffic that is blocked, nat'ed or whatever. okay, at least the
> traffic shows up on the internal interface, but there must be a way to
> see the traffic that really arrives at the ASA.
>
>
> is there a solution at all?
>
>
> cheers,
> heri

Hi,

I would assume if you wanted to do this on an ASA you could either:

1) Use the ASDM to monitor the packets in real time as they flow through
the device

2) Use capture lists. Check www.cisco.com for the same. You can set up
an inside and outside capture list effectively turning the ASA into a
cut down sniffer. You can export the capture into a the relevant format
for further analysis with say Wireshark etc

3) Use a sniffer. Port mirror the traffic using a switch assuming you
have one in between e.g. your Internet router and your ASA.


Regards

Darren
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA 55xx login by ACS (TACACS/RADIUS) asidko Hardware 0 04-05-2010 05:40 PM
ASA 55xx oid active user ted Cisco 0 11-05-2008 12:11 PM
IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Tilman Schmidt Cisco 0 01-24-2008 10:49 AM
ASA 55XX VPN log meni Cisco 1 10-29-2007 04:41 PM
RADIUS on ASA 55xx for Administration AND VPN enbrander@gmail.com Cisco 4 12-13-2006 08:13 PM



Advertisments