Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6186
Views
0
Helpful
6
Replies

how to capture vpn traffic using packet capture in firepower FTD?

Go to solution
jperez netics
Level 1
Level 1

‎06-08-2022 10:29 AM

Hi everyone, i would like to know how to do a packet capture that match traffic passing through a Site to Site VPN, i tried using "match esp" and "type isakmp" in my capture arguments with no results, i even tried capturing using "match ip" and source IP from remote network with no results neither

 

i was trying a capture like this examples: 

 

capture prueba match ip host source any

capture prueba match esp host source any

capture prueba type isakmp trace detail

 

i also can see pkts encaps and decaps counters growing using the comand "show crypto ipsec sa peer x.x.x.x" so i know that the traffic is passing

 

What would be a correct way to capture site to site and webvpn traffic?

 

sometimes i need to know if the traffic is matching correct NAT and ACP rules and i usually do a packet capture to accomplish this but there is no case with Encrypted/VPN traffic

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎06-08-2022 10:52 AM

for S2S VPN
asa# capture OUT interface outside trace include-decrypted match tcp any any


include-decrypted<- this help you for VPN traffic 

View solution in original post

0 Helpful

Go to solution
jperez netics
Level 1
Level 1
In response to MHM Cisco World

‎06-08-2022 11:14 AM

thank you very much, that was very very helpful, so for captures we can use this:

capture [name] interface [source-intf] trace include-decrypted match [protocol] [source] [destination]

 

and for packet tracer we can use this:

packet-tracer input [source-intf] [protocol] [source ip] [source port] [destination ip] [destination port] decrypted

 

Tested and working!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎06-08-2022 10:33 AM

@jperez netics if you want to know if traffic is hitting the correct NAT and ACP rules, then use packet-tracer to simulate the traffic flow. Alternatively use the command system support firewall-engine-debug and filter on the src/dst ip/port, this will identify which ACP rule was matched.

0 Helpful

Go to solution
jperez netics
Level 1
Level 1
In response to Rob Ingram

‎06-08-2022 10:43 AM

When i try to do a packet tracer or packet capture with normal traffic there is no issue, i have problems with VPN traffic which becomes inconsistent when i try to capture it, and i cannot simulate incoming s2s vpn traffic because it always results in a drop as spoofing, also outgoing vpn traffic is not an issue.

 

regarding the system support firewall-engine-debug command, what ip protocol should i use with encrypted VPN traffic?

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jperez netics

‎06-08-2022 10:46 AM

@jperez netics the tunnel would need to be up when you run packet-tracer for the inbound traffic.

 

It doesn't matter what protocol you select, it's optional, just define the source or destination ip and generate traffic, it will provide real time feedback.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-08-2022 10:37 AM

Use same packet tracer because the traffic will decrypt then acl and nat will apply not before that.

So if you have 

Webvpn 

Use packet tracer and use ip from pool you use for client 

Note:- dont use ip that already use by active client.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎06-08-2022 10:52 AM

for S2S VPN
asa# capture OUT interface outside trace include-decrypted match tcp any any


include-decrypted<- this help you for VPN traffic 

0 Helpful

Go to solution
jperez netics
Level 1
Level 1
In response to MHM Cisco World

‎06-08-2022 11:14 AM

thank you very much, that was very very helpful, so for captures we can use this:

capture [name] interface [source-intf] trace include-decrypted match [protocol] [source] [destination]

 

and for packet tracer we can use this:

packet-tracer input [source-intf] [protocol] [source ip] [source port] [destination ip] [destination port] decrypted

 

Tested and working!

0 Helpful
Customers Also Viewed These Support Documents