Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1112
Views
0
Helpful
6
Replies

ASA IPSec finding hosts that are using the tunnel

JeffAllen0892
Level 1
Level 1

‎12-05-2018 03:24 AM - edited ‎02-21-2020 08:32 AM

Hello need advice on how to identify who is using an IPSec tunnel

can not capture packets using because of encryption, correct ?

 

if I do a show vpn-seas l2l I see the tunnel peer and the destination which is the Asa outside interface

 

I need to identify who is actually using the tunnel, thanks for any help

0 Helpful
6 Replies 6

Seb Rupik
VIP Alumni
VIP Alumni

‎12-05-2018 03:37 AM

HI there,

Check the ACL which is used to match traffic for the particular entry in the crypto map. Use the output from sh vpn-sessiondb det l2l to find the remote address and cross reference that against the crypto map config peer address to find the correct entry.

 

Looking at the ACL you can then determine from the IP source section which of your hosts are permitted to use the VPN, when trying to reach the destination subnet(s) specified by the ACL.

 

Since you can’t run a packet capture, do you have netflow configured? Failing that just look at the connection table, although this method will not give you any historic information.

 

Cheers,

Seb.

0 Helpful

JeffAllen0892
Level 1
Level 1
In response to Seb Rupik

‎12-05-2018 05:20 AM

Seb

The problem is the local address is the outside interface of the Asa
0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to JeffAllen0892

‎12-05-2018 05:58 AM

I would expect that, as the outside address is the peer address that the remote IPSec endpoints will be connecting to.

 

Its the remote address which you need to match against the crypto map set peer statement. That will tell you which ACL to look at to determine the traffic flows which will be sent down the VPN.

 

 

0 Helpful

JeffAllen0892
Level 1
Level 1
In response to Seb Rupik

‎12-05-2018 09:54 AM

Yes

I am going to set up a log server and see if I see anything
0 Helpful

JeffAllen0892
Level 1
Level 1
In response to JeffAllen0892

‎12-05-2018 10:52 AM

Set up logging server set to sev 7 still can figure out who is hitting the tunnel

Any insight would be appreciated
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to JeffAllen0892

‎12-05-2018 02:14 PM

We do not know details of your environment, but in many of the site to site vpn the acl used to identify traffic for the tunnel just permit local subnet x to go to remote subnet y. In that case the acl does not have anything that can identify which specific local hosts are using the vpn. I find the suggestion about net flow very interesting. If you do have net flow implemented then you could possibly look in the net flow data for source addresses in the local subnet and destination addresses in the remote subnet.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card