Yes you can do the packet

_Ratha_ · ‎07-12-2017

Dear all,

I need to capture packet go through VPN tunnel on ASA. I try to follow guide line with link bellow, but it show packet buffer empty.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

Is there any way to capture packet VPN tunnel.

Thank

Ratha

Dinesh Moudgil · ‎07-12-2017

Hi Ratha,

You can capture the plain text packets on ingress interface.

e.g.

PC-------switch----g0/1 ASA g0/2------------VPN---------------Remote Peer

In this case , you can apply captures on g0/1 on ASA to gather unencrypted packets being sent from PC to remote side or packets coming from remote side to your PC.

You can apply packet captures on g0/2 but packets will be encrypted and you won't be able to see the real source and destination

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

_Ratha_ · ‎07-12-2017

Dear Dinesh Moudgil,

Thank for respond,

bellow is my diagram

PC1_______ASA1_____S2S_____ASA2_______PC2.

I want to capture traffic from between PC1 and PC2 on ASA2.

I want to see does any drop packet on ASA2.

is it possible to capture here?

Best regard,

Ratha

Dinesh Moudgil · ‎07-12-2017

Yes you can do the packet capture on interface between ASA2 and PC2

Or run
cap asp type asp-drop all

and run

show cap asp | in <interesting IP>
to check if the packet drops are happening on ASA.

Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Packet Captures VPN traffic on ASA