Guys,

when using "no sysopt connection permit-vpn" the traffic arriving 
through a ipsec tunnel is sent through the access list bound to the
interface that the ipsec tunnel is bound to (usually the outbound one).

how do I capture traffic that arrives through the ipsec tunnel?

i tried to capture on the outbound interface (that terminals the tunnel) 
but there is no traffic captured at all. for my understanding, the 
traffic passes the outbound interface with encapsulated traffic, 
decrypts it and sends the traffic through the same interface again so
that at least the access lists can match. but that seems not to be the case.

how can i capture traffic that comes through an ipsec tunnel at all? 
capturing on the inside interface is not an option as this will not show
any traffic that is blocked, nat'ed or whatever. okay, at least the 
traffic shows up on the internal interface, but there must be a way to 
see the traffic that really arrives at the ASA.


is there a solution at all?


cheers,
heri

Heribert Steuer wrote:
> Guys,
> 
> when using "no sysopt connection permit-vpn" the traffic arriving 
> through a ipsec tunnel is sent through the access list bound to the
> interface that the ipsec tunnel is bound to (usually the outbound one).
> 
> how do I capture traffic that arrives through the ipsec tunnel?
> 
> i tried to capture on the outbound interface (that terminals the tunnel) 
> but there is no traffic captured at all. for my understanding, the 
> traffic passes the outbound interface with encapsulated traffic, 
> decrypts it and sends the traffic through the same interface again so
> that at least the access lists can match. but that seems not to be the 
> case.
> 
> how can i capture traffic that comes through an ipsec tunnel at all? 
> capturing on the inside interface is not an option as this will not show
> any traffic that is blocked, nat'ed or whatever. okay, at least the 
> traffic shows up on the internal interface, but there must be a way to 
> see the traffic that really arrives at the ASA.
> 
> 
> is there a solution at all?
> 
> 
> cheers,
> heri
Hi,

I would assume if you wanted to do this on an ASA you could either:

1) Use the ASDM to monitor the packets in real time as they flow through 
the device

2) Use capture lists. Check www.cisco.com for the same. You can set up 
an inside and outside capture list effectively turning the ASA into a 
cut down sniffer. You can export the capture into a the relevant format 
  for further analysis with say Wireshark etc

3) Use a sniffer. Port mirror the traffic using a switch assuming you 
have one in between e.g. your Internet router and your ASA.


Regards

Darren