Showing results for 
Search instead for 
Did you mean: 


Unable to capture packets on ASA(ASDM)

Hi all,

We have site to site VPN connection to one of our client. From which we both are accessing our applications and other resources. Now client needs to acccess two of our internal server. So we have created Static NAT in our ASA. For one server they are accessing without any issues. But the other server they are not able to connect. Since its vpn tunnel we havent blocked any ports and its open to all traffic. But their side they have restricted and we need to see whether the packets hitting our ASA or not. Once we observes this, its easy for us to escalate them. I tried packet capture wizard in ASDM. But its not showing anything. Can anyone tell me how to capture packets realated to Static NAT. Please let me know if you want anyother details?

local -->this will get natted to ---> when going in for tunnel

we have created

static(outside,inside) working

static(outside,inside) not working, we need to check whether its hitting

Kindly advise...



Jennifer Halim
Cisco Employee

Your static NAT is incorrect, it's the other way round. It should be:

static (inside,outside) netmask

static (inside,outside) netmask

not sure if you want to restrict the NATing to that if you are just going towards the remote subnet, if you are then you would need to create static policy NAT as follows:

access-list nat-to-client permit ip

static (inside,outside) access-list nat-to-client

the above will NAT the whole subnet of when going towards remote client subnet to


Thanks for your reply. It was the typo in my question and added static nat properly with " netmask " statement. We have also added nat for nat to client but in our case we have used global nat. All other traffic to and fro in vpn is working fine. My doubt is whether in client side they have properly opened ports and configured nat correctly or not. If we capture packets for the respective traffic, we can easily corner the problem. Kindly check this and It would be really helpful if you guide me towards capturing packets.



Sent from Cisco Technical Support Android App

Where are you trying to initiate the connection from?

If they are trying to initiate the connection towards your end, and the traffic doesn't reach your end, then there will be nothing on your ASA packet capture.

Please share what you have configured to capture the traffic?

To check if the traffic is reaching the inside interface, just configure ACL between source (real IP) and destination (remote IP), and apply the capture on the inside interface. This will confirm if the traffic is coming inbound towards the inside interface.

To check if the traffic is leaving the inside interface towards the host behind your ASA, configure ACL between source (remote IP), and destination (host real IP), and apply the capture on the inside interface. This will confirm if the traffic is leaving your ASA inside interface towards the host.

Content for Community-Ad