cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1196
Views
0
Helpful
6
Replies

ASA IPSec finding hosts that are using the tunnel

JeffAllen0892
Level 1
Level 1

Hello need advice on how to identify who is using an IPSec tunnel

can not capture packets using because of encryption, correct ?

 

if I do a show vpn-seas l2l I see the tunnel peer and the destination which is the Asa outside interface

 

I need to identify who is actually using the tunnel, thanks for any help

6 Replies 6

Seb Rupik
VIP Alumni
VIP Alumni

HI there,

Check the ACL which is used to match traffic for the particular entry in the crypto map. Use the output from sh vpn-sessiondb det l2l to find the remote address and cross reference that against the crypto map config peer address to find the correct entry.

 

Looking at the ACL you can then determine from the IP source section which of your hosts are permitted to use the VPN, when trying to reach the destination subnet(s) specified by the ACL.

 

Since you can’t run a packet capture, do you have netflow configured? Failing that just look at the connection table, although this method will not give you any historic information.

 

Cheers,

Seb.

Seb

The problem is the local address is the outside interface of the Asa

I would expect that, as the outside address is the peer address that the remote IPSec endpoints will be connecting to.

 

Its the remote address which you need to match against the crypto map set peer statement. That will tell you which ACL to look at to determine the traffic flows which will be sent down the VPN.

 

 

Yes

I am going to set up a log server and see if I see anything

Set up logging server set to sev 7 still can figure out who is hitting the tunnel

Any insight would be appreciated

We do not know details of your environment, but in many of the site to site vpn the acl used to identify traffic for the tunnel just permit local subnet x to go to remote subnet y. In that case the acl does not have anything that can identify which specific local hosts are using the vpn. I find the suggestion about net flow very interesting. If you do have net flow implemented then you could possibly look in the net flow data for source addresses in the local subnet and destination addresses in the remote subnet.

 

HTH

 

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card