Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1748
Views
4
Helpful
4
Replies

Capturing IPSEC traffic

tiwang
Level 7
Level 7

‎12-17-2024 11:22 PM - edited ‎12-17-2024 11:22 PM

hi out there

I have a simple problem related to ipsec traffic. We are running Firepower ver. 7.2.7. We have a site 2 site vpn from a partner and this is coming into our network from the edge.

I can easiely capture the encrypted traffic by using the edge interface as the interface to capture on - but if i want to capture the un-encrypted traffic - is there a way to specify that when it is a "simple" traditionel ipsec tunnel - not a VTI based. The challenge here for me is that i cannot just define the desitnation becuase in between we also do a NAT translation of their network so even though it sounds as if i just could use the trnasition interface in my capture it is not that simple. Is there a way to specify an interface for the Firepowers capture which showing the un-encrypted traffic?

 

Labels:
4 Replies 4

MHM Cisco World
VIP
VIP

‎12-18-2024 12:19 AM

include-decrypted  <<- check this option with capture 

MHM

tiwang
Level 7
Level 7
In response to MHM Cisco World

‎12-18-2024 12:33 AM

hmm this looks as a capture option using the FTD and not from the FMC - this is not an option avalibly on the FMC - will try

MHM Cisco World
VIP
VIP
In response to tiwang

‎12-19-2024 06:30 AM

I already check' there is bug about missing of this feature in fmc' and Cisco not have plan to add it in future.

Now' you can capture plain text by using interface not OUTside by interface from which traffic come from.

I.e. you can use Inside or DMZ and capture traffic and for destiantion

1- use real IP not map IP' since Local FTD do NATing so you must capture traffic before it NATing

2-use mapped IP since remote FW do NATing 

MHM

0 Helpful

Aref Alsouqi
VIP
VIP

‎12-18-2024 02:08 AM

If that option is still not available on the FMC UI then you can still get the capture from the FTD CLI. Log into the FTD and type "system support diagnostic-cli", and then type "en" and hit enter without typing any password. This will take you to Lina engine which is the ASA code. From there do the capture as usual. For instance, "capture TIWANG interface outside include-decrypted match ip host 192.168.1.10 host 10.10.10.10", and then "show capture TIWANG", or you can add the real time option to the capture command to return the capture output to the screen in real time. Finally don't forget to remove the capture once you're done with the command "no capture TIWANG".

Customers Also Viewed These Support Documents