Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1060
Views
5
Helpful
0
Replies

ASA - Packet sniffer between S2S tunnels.

morabusa
Level 1
Level 1

‎06-23-2020 11:22 AM - edited ‎06-23-2020 11:25 AM

Hi, I am currently working on a topology where an ASA device (Headquarter device, lets call it site A) has three tunnels, one tunnel to AWS, and two tunnels to connect with two branch offices (each branch also has an ASA device), lets call them site B and site C. So, when someone connected from a branch office needs to connect to SAP servers placed in AWS, the traffic pass trough the branch -> Headquater, and then trough Headquarter -> AWS. 

Users connected from Site A and Site B are able to connect to AWS without problems, but users connected from Site C don't. Take in mind that all the traffic gets translated using a NAT in the Headquarter ASA (Site A) before going to AWS, and I can see the traffic in syslog and the users's original IPs getting translated in Site A. 

My question is, is there a way to capture traffic in Site A if traffic comes in and comes out using the same interface (Outside interface) and it is all encrypted? I can see some traffic in syslog but not when trying to get captures through CLI (I suppose that it is due to traffic encrypten going in and out through interfaces). Thanks.

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card