Cisco ASA 55xx IPSEC traffic capture question

Discussion in 'Cisco' started by Heribert Steuer, Feb 13, 2009.

  1. Guys,

    when using "no sysopt connection permit-vpn" the traffic arriving
    through a ipsec tunnel is sent through the access list bound to the
    interface that the ipsec tunnel is bound to (usually the outbound one).

    how do I capture traffic that arrives through the ipsec tunnel?

    i tried to capture on the outbound interface (that terminals the tunnel)
    but there is no traffic captured at all. for my understanding, the
    traffic passes the outbound interface with encapsulated traffic,
    decrypts it and sends the traffic through the same interface again so
    that at least the access lists can match. but that seems not to be the case.

    how can i capture traffic that comes through an ipsec tunnel at all?
    capturing on the inside interface is not an option as this will not show
    any traffic that is blocked, nat'ed or whatever. okay, at least the
    traffic shows up on the internal interface, but there must be a way to
    see the traffic that really arrives at the ASA.


    is there a solution at all?


    cheers,
    heri
    Heribert Steuer, Feb 13, 2009
    #1
    1. Advertising

  2. Heribert Steuer

    Darren Green Guest

    Heribert Steuer wrote:
    > Guys,
    >
    > when using "no sysopt connection permit-vpn" the traffic arriving
    > through a ipsec tunnel is sent through the access list bound to the
    > interface that the ipsec tunnel is bound to (usually the outbound one).
    >
    > how do I capture traffic that arrives through the ipsec tunnel?
    >
    > i tried to capture on the outbound interface (that terminals the tunnel)
    > but there is no traffic captured at all. for my understanding, the
    > traffic passes the outbound interface with encapsulated traffic,
    > decrypts it and sends the traffic through the same interface again so
    > that at least the access lists can match. but that seems not to be the
    > case.
    >
    > how can i capture traffic that comes through an ipsec tunnel at all?
    > capturing on the inside interface is not an option as this will not show
    > any traffic that is blocked, nat'ed or whatever. okay, at least the
    > traffic shows up on the internal interface, but there must be a way to
    > see the traffic that really arrives at the ASA.
    >
    >
    > is there a solution at all?
    >
    >
    > cheers,
    > heri

    Hi,

    I would assume if you wanted to do this on an ASA you could either:

    1) Use the ASDM to monitor the packets in real time as they flow through
    the device

    2) Use capture lists. Check www.cisco.com for the same. You can set up
    an inside and outside capture list effectively turning the ASA into a
    cut down sniffer. You can export the capture into a the relevant format
    for further analysis with say Wireshark etc

    3) Use a sniffer. Port mirror the traffic using a switch assuming you
    have one in between e.g. your Internet router and your ASA.


    Regards

    Darren
    Darren Green, Feb 14, 2009
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    4
    Views:
    1,013
    response3
    Dec 13, 2006
  2. meni

    ASA 55XX VPN log

    meni, Oct 28, 2007, in forum: Cisco
    Replies:
    1
    Views:
    509
    Scott Perry
    Oct 29, 2007
  3. H. Steuer
    Replies:
    1
    Views:
    494
    News Reader
    Aug 5, 2008
  4. ted

    ASA 55xx oid active user

    ted, Nov 5, 2008, in forum: Cisco
    Replies:
    0
    Views:
    528
  5. asidko
    Replies:
    0
    Views:
    1,804
    asidko
    Apr 5, 2010
Loading...

Share This Page