Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1335
Views
20
Helpful
7
Replies

If you ping from ASA headend device where IPSEC tunnels built, does ping take tunnel?

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎07-03-2019 02:14 PM - edited ‎02-21-2020 09:16 AM

Say the interesting traffic is ANY source on the ASA where you have IPSEC tunnels built. If I ping a destination IP which is deemed interesting traffic, what is a good way confirm the traffic is taking the IPSEC tunnel?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎07-03-2019 02:51 PM

What is the output of "show crypto ipsec sa" are the encaps and decaps increasing?

What is the configuration of the other firewall? Is the destination "any"?
What is the output of "show crypto ipsec sa" on the remote device? encaps|decaps?

Do you have a NO-NAT rule defined, to ensure the traffic is not unintentially natted?

HTH

View solution in original post

7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-03-2019 02:22 PM

if the default route interface tunnel yes, if not take - depends on source IP it will take path for outbound traffic.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to balaji.bandi

‎07-03-2019 02:29 PM

I am not sure if I follow given its an IPSEC on no tunnel inteface IP like gre. The default route on the ASA does not point to a tunnel destination. Is that what you mean?
0 Helpful

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to balaji.bandi

‎07-03-2019 02:39 PM

To add, the default route points to next hop of outside interface which is what tunnel uses?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎07-03-2019 02:45 PM

Hi,
If the source and destination IP addresses are referenced in the crypto ACL (identified as interesting traffic) then traffic should go via the VPN tunnel.

If those networks are private IP address (RFC 1918) then they would not be routeable over the internet and therefore could only be routed over a tunnel.

You can confirm the path of the traffic via packet capture on the remote ASA.

HTH

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎07-03-2019 02:47 PM

I can't access the remote device.
For interesting traffic, the source is ANY so that means it should take it correct?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎07-03-2019 02:51 PM

What is the output of "show crypto ipsec sa" are the encaps and decaps increasing?

What is the configuration of the other firewall? Is the destination "any"?
What is the output of "show crypto ipsec sa" on the remote device? encaps|decaps?

Do you have a NO-NAT rule defined, to ensure the traffic is not unintentially natted?

HTH

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎07-04-2019 12:29 AM

What i meant was, by defautl you are pointing your Public Facing IP address towards ISP, that way you able to establish Tunnels.

So if you ping from the device it uses Public IP address so it will go to ISP.

 

If you have setup ACL and they are part of IPSEC Tunnel intresting traffic, if you source them they use Tunnel.

 

First step is - make sure your IPSEC Tunnel up and running, other side also allow your IP RANGE ( no duplication of IP RANGe, if any you need do double NAT.)

 

you can check with show crypto command for the traffic going via tunnel.

 

it would be nice provide more configuration both the sides including show crypto information to suggest best.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card