Hi Giuseppe,

Thanks for the help yet again.  This is a little troubling what you are suggesting, since the packet capture will not allow me to distinguish what I am looking for.

Basically, I want to be able to definitively see that I am receiving traffic from 198.198.4.53 to 10.10.10.50 via the VPN tunnel rather than the Internet and that we are also sending return traffic through the tunnel, un-NATed in both directions. 

How can I conclusively show this is occurring?

There is an entry, which is good, I think...  but it doesn't give me the detail I want, e.g. for inbound traffic comes through the tunnel, is the return traffic also going out through the tunnel?

protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (198.198.4.53/255.255.255.255/0/0)
current_peer 198.198.4.38 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
#pkts decaps: 3522, #pkts decrypt: 3522, #pkts verify: 3522
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 38.38.38.98, remote crypto endpt.: 198.198.4.38
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0xE6BEE1BE(3871269310)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xC0D61316(3235255062)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2087, flow_id: ESG:87, sibling_flags FFFFFFFF80004048, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4608000/26632)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE6BEE1BE(3871269310)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2088, flow_id: ESG:88, sibling_flags FFFFFFFF80004048, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4608000/26632)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Hello JamesS4,

the interesting lines are

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (198.198.4.53/255.255.255.255/0/0)
current_peer 198.198.4.38 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
#pkts decaps: 3522, #pkts decrypt: 3522, #pkts verify: 3522

There are only 11 packets sent to 198.198.4.53 and 3522 received

In a working scenario the first pkts encaps should increment also when the connection is started from the remote site.

If this counter does not increment during an attempt to connect from remote site it is a confirmation return traffic is not going via IPSec ( it is an indirect info but it is meaningful)

Hope to help

Giuseppe

Yes it seems indirect deduction is as good as we can hope for. 

The question now is why is this happening??  =(

what i do not understand is why do we see this traffic at all in the capture?

38.38.38.98 -> 198.198.4.53 0 BE TCP

shouldn't this NAT not be occurring based on the NAT ACLs we have setup?

p7router1#sh ip nat trans
Pro Inside global Inside local Outside local Outside global

tcp 38.38.38.98:30001 10.10.10.50:30001 198.198.4.53:21459 198.198.4.53:21459

Hello JamesS4,

the ip nat translation that you see is derived from the following statement

ip nat inside source static tcp 10.10.10.50 30001 38.38.38.98 30001 extendable

tcp 38.38.38.98:30001 10.10.10.50:30001 198.198.4.53:21459 198.198.4.53:21459

Have you got a different internal host in network 10.10.10.0/24 to make the tests instead of focusing on this 10.10.10.50 host?

The packet capture may be related to the nat static statement but in this case the involved port is 30001 and not the telnet port that is 23.

To which TCP port is the remote site attempting to telnet to?

Hope to help

Giuseppe

attempting to telnet to 30001!!!  I think (hope) that is the problem?!

Hello JamesS4,

if the other side has always tried to telnet to TCP 30001 this is the root cause of the problem as the static NAT is triggered when using this specific TCP port.

Ask them to use a different TCP port or provide them a different target in 10.10.10.0/24 internal network.

Hope to help

Giuseppe

We opened an unused port on 10.10.10.50 and asked them to try it.  fingers crossed!

I selected two of Giuseppe's replies as solutions, since they are both correct.  

1) VPN tunnel packet capture can only help to detect traffic travelling across the tunnel endpoints.  There isn't a way to directly capture traffic from device endpoints.

2) looking at ipsec details shows endpoint connection stats, which aren't as ideal as a direct capture, but still provides the most  useful and relevant information