Cisco ASA 55xx IPSEC traffic capture question


when using "no sysopt connection permit-vpn" the traffic arriving through a ipsec tunnel is sent through the access list bound to the interface that the ipsec tunnel is bound to (usually the outbound one).

how do I capture traffic that arrives through the ipsec tunnel?

i tried to capture on the outbound interface (that terminals the tunnel) but there is no traffic captured at all. for my understanding, the traffic passes the outbound interface with encapsulated traffic, decrypts it and sends the traffic through the same interface again so that at least the access lists can match. but that seems not to be the case.

how can i capture traffic that comes through an ipsec tunnel at all? capturing on the inside interface is not an option as this will not show any traffic that is blocked, nat'ed or whatever. okay, at least the traffic shows up on the internal interface, but there must be a way to see the traffic that really arrives at the ASA.

is there a solution at all?

cheers, heri

Reply to
Heribert Steuer
Loading thread data ...


I would assume if you wanted to do this on an ASA you could either:

1) Use the ASDM to monitor the packets in real time as they flow through the device

2) Use capture lists. Check

formatting link
for the same. You can set up an inside and outside capture list effectively turning the ASA into a cut down sniffer. You can export the capture into a the relevant format for further analysis with say Wireshark etc

3) Use a sniffer. Port mirror the traffic using a switch assuming you have one in between e.g. your Internet router and your ASA.



Reply to
Darren Green Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.