cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
15366
Views
19
Helpful
14
Replies

How to generate interesting traffic on the ASA

Hi Team,

 

Can you please let me know how to generate interesting traffic on the asa 9.1 code to verify site to site vpn tunnel.

 

i have already tried configuring management access inside and that didnt help

when i ping my destination IP i get no response 

 

Regards

Basavaraj

2 Accepted Solutions

Accepted Solutions

If the local interesting traffic is different then inside interface subnet , then the pings will not work if you use "ping inside x.x.x.x". You can only run packet tracer or create actual traffic to see the encryption counters increasing.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Allow me to rephrase it , counters will only increment if you initiate actual traffic but packet tracer should be enough to bring phase 1 and phase 2 up.

You can run 
show crypto isakmp sa for phase 1 and show crypto ipsec sa peer x.x.x.x for phase 2 and it should both of them up.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

14 Replies 14

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi Basavaraj,

Firstly,when configuring management access inside , please make sure that the inside interface is part of the interesting traffic in the VPN tunnel.

If it is part of interesting traffic , you may use "ping inside x.x.x.x" where x.x.x.x is IP of remote VPN subnet.
In case you don't have the interfaces defined in the access-list for VPN , then you may leverage Packet tracer command as shown here:

Packet-tracer input inside(interface from which the interesting traffic is generated) icmp x.x.x.x( interesting traffic at your end ) 8 0 x.x.x.x(interesting traffic at remote end) detailed 

Here is a document for your reference:-
https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Regards,
Dinesh Moudgil


P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hi Dinesh,

Thank you so much for the response, below is my vpn interesting traffic config

object network VPN_LOCAL
 subnet 10.1.100.0 255.255.254.0
object network REMOTE_ACCESS
 subnet 10.15.100.0 255.255.255.224

 

 

nat (inside,INN) source static VPN_LOCAL VPN_LOCAL destination static REMOTE_ACCESS REMOTE_ACCESS no-proxy-arp route-lookup

management-access INN --- where my interesting is part of this interface

when i ping remote subnet IP i get no response

ping INN 10.15.100.6

???

below is the output of packet tracer--

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,ILL) source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2a411f40, priority=6, domain=nat-reverse, deny=false
        hits=344344, user_data=0x7fff205b4df0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=ILL, output_ifc=inside

 

technically my interesting shouldn't not hit this nat statement and it should go to my vpn nat.

 

Could you please let me know what could be the problem here.

 

 

Assuming your inside interface is in the range of 10.1.100.0 and object VPN_LOCAL is present on inside interface, try using the command "management-access inside", then try pinging "ping inside 10.15.100.6" and share the results.

When you write "management-access INN " it means that you can use INN interface for VPN communication ,so make sure it is in 10.1.100.0 subnet.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

 

ā€‹

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

thanks for pointing out that, i have changed my "management-access inside" now

ping inside 10.15.100.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.15.100.6, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

 

still i'm not able to ping the remote destination IP, if other end asa generates traffic then my tunnel will come up and if i say "show crypto ipsec sa" i can see decryption is happening but in don't see any encryption is happening. My asa is not sending any traffic back on the tunnel.

when i see use packet tracer i see my traffic interesting traffic is not hitting on correct nat statement.

below is the output of packet tracer--

Phase: 7
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside,ILL) source dynamic any interface
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2a411f40, priority=6, domain=nat-reverse, deny=false
        hits=344344, user_data=0x7fff205b4df0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=ILL, output_ifc=inside

 

 

 

Hi Dinesh,

 

i have one more quick query,

in my case i don't have any acls for inside network, we only configured acl for outside interface and we have associated that to outside interface. inside by default asa allows all the traffic to go based on higher security level to lower security level.

once we have configured site to site, my question is do we have to configure acls for inside interface also or no need to configure any specific acls for inside network. In my case i have not configured any acl, i have configured interesting traffic acl that i have associated with crytpo map and then i have configured twice nat for vpn trafic,

please let me know in case if i have to configure anything 

as i told at the moment tunnel comes up if someone generates the traffic other side and my asa is not sending any traffic back on the tunnel.

You would not need to configure any access-list entry on the inside interface for VPN traffic if there is none present.

Try adding these commands :-

no nat (inside,INN) source static VPN_LOCAL VPN_LOCAL destination static REMOTE_ACCESS REMOTE_ACCESS no-proxy-arp route-lookup

nat (inside,INN) 1 source static VPN_LOCAL VPN_LOCAL destination static REMOTE_ACCESS REMOTE_ACCESS no-proxy-arp route-lookup

And please share the packet tracer command that you are running.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hi Dinesh,

 

after the nat change, i'm getting following packet tracer output

XXXXXXX# packet-tracer input inside tcp 10.1.100.10 1024 10.15.100.6 443 detai

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0        255.0.0.0       inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a2bdfe0, priority=111, domain=permit, deny=true
        hits=713672, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=inside, output_ifc=inside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

since i have not configured any nat on the inside interface, it should not drop my packets but here its showing that acl is droping the pkts

 

Referencing :-
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.0.0        255.0.0.0       inside


You have a route for 10.0.0.0/8 that sends all the traffic to inside interface, preventing the traffic to go via VPN tunnel.
Create a route for 10.15.100.0 subnet and set the next hop as your default gateway so that it goes out via outside interface.


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

thank you Dinesh, yes i have 10.0.0.0/8 routing pointing to inside network and default route pointing to outside interface. I have added route as default rout for my remote subnet. when i see packet trace everything is allow. tunnel is coming up. but i am not able to send any traffic over the tunnel from asa. the local interesting subnet is different that the inside interface subnet. Is it because of that i'm not able to ping my remote subnet IP ?

 

If the local interesting traffic is different then inside interface subnet , then the pings will not work if you use "ping inside x.x.x.x". You can only run packet tracer or create actual traffic to see the encryption counters increasing.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

HI Dinesh,

 

Thank you so much for valuable inputs.

however packet tracer is not increasing any encryption/decryption count . I will try to connect some devices and try generating traffic from the actual subnet and check phase2 status. 

 

 

Allow me to rephrase it , counters will only increment if you initiate actual traffic but packet tracer should be enough to bring phase 1 and phase 2 up.

You can run 
show crypto isakmp sa for phase 1 and show crypto ipsec sa peer x.x.x.x for phase 2 and it should both of them up.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Ok got it...thank you again

.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/