topic Re: ASA IPSec finding hosts that are using the tunnel in Network Security

ASA IPSec finding hosts that are using the tunnel

JeffAllen0892 — Fri, 21 Feb 2020 16:32:28 GMT

Hello need advice on how to identify who is using an IPSec tunnel

can not capture packets using because of encryption, correct ?

if I do a show vpn-seas l2l I see the tunnel peer and the destination which is the Asa outside interface

I need to identify who is actually using the tunnel, thanks for any help

Re: ASA IPSec finding hosts that are using the tunnel

Seb Rupik — Wed, 05 Dec 2018 11:37:37 GMT

HI there,

Check the ACL which is used to match traffic for the particular entry in the crypto map. Use the output from sh vpn-sessiondb det l2l to find the remote address and cross reference that against the crypto map config peer address to find the correct entry.

Looking at the ACL you can then determine from the IP source section which of your hosts are permitted to use the VPN, when trying to reach the destination subnet(s) specified by the ACL.

Since you can’t run a packet capture, do you have netflow configured? Failing that just look at the connection table, although this method will not give you any historic information.

Cheers,

Seb.

Re: ASA IPSec finding hosts that are using the tunnel

JeffAllen0892 — Wed, 05 Dec 2018 13:20:31 GMT

Seb

The problem is the local address is the outside interface of the Asa

Re: ASA IPSec finding hosts that are using the tunnel

Seb Rupik — Wed, 05 Dec 2018 13:58:56 GMT

I would expect that, as the outside address is the peer address that the remote IPSec endpoints will be connecting to.

Its the remote address which you need to match against the crypto map set peer statement. That will tell you which ACL to look at to determine the traffic flows which will be sent down the VPN.

Re: ASA IPSec finding hosts that are using the tunnel

JeffAllen0892 — Wed, 05 Dec 2018 17:54:31 GMT

Yes

I am going to set up a log server and see if I see anything

Re: ASA IPSec finding hosts that are using the tunnel

JeffAllen0892 — Wed, 05 Dec 2018 18:52:31 GMT

Set up logging server set to sev 7 still can figure out who is hitting the tunnel

Any insight would be appreciated

Re: ASA IPSec finding hosts that are using the tunnel

Richard Burts — Wed, 05 Dec 2018 22:14:47 GMT

We do not know details of your environment, but in many of the site to site vpn the acl used to identify traffic for the tunnel just permit local subnet x to go to remote subnet y. In that case the acl does not have anything that can identify which specific local hosts are using the vpn. I find the suggestion about net flow very interesting. If you do have net flow implemented then you could possibly look in the net flow data for source addresses in the local subnet and destination addresses in the remote subnet.

HTH

Rick