when using "no sysopt connection permit-vpn" the traffic arriving through a ipsec tunnel is sent through the access list bound to the interface that the ipsec tunnel is bound to (usually the outbound one).
how do I capture traffic that arrives through the ipsec tunnel?
i tried to capture on the outbound interface (that terminals the tunnel) but there is no traffic captured at all. for my understanding, the traffic passes the outbound interface with encapsulated traffic, decrypts it and sends the traffic through the same interface again so that at least the access lists can match. but that seems not to be the case.
how can i capture traffic that comes through an ipsec tunnel at all? capturing on the inside interface is not an option as this will not show any traffic that is blocked, nat'ed or whatever. okay, at least the traffic shows up on the internal interface, but there must be a way to see the traffic that really arrives at the ASA.
is there a solution at all?