11-25-2014 04:05 PM
Hi Team,
Please help me to set ACL and capture for Remote Access VPN traffic.
Requirement is to see how much traffic is flowing from that Source IP.
Source : Remote Access VPN IP(Tunneled) 10.10.10.10
Destination : any
This is what I did which is not working
access-list VPN extended permit tcp host 10.10.10.10 any
capture CAP_VPN type raw-data access-list VPN interface OUTSIDE
Solved! Go to Solution.
11-27-2014 10:24 AM
Hello,
If you set up the capture with that access list, you are filtering just TCP traffic, therefore you won't be able to see UDP or ICMP traffic too, I would recommend you using the same ACL, though using IP:
access-list VPN extended permit ip host 10.10.10.10 any
Capture CAP_VPN access-list VPN interface outside
Then with:
show capture CAP_VPN
You will be able to see the packet capture on the ASA, though you can export the capture to a packet sniffer as follow:
11-27-2014 10:24 AM
Hello,
If you set up the capture with that access list, you are filtering just TCP traffic, therefore you won't be able to see UDP or ICMP traffic too, I would recommend you using the same ACL, though using IP:
access-list VPN extended permit ip host 10.10.10.10 any
Capture CAP_VPN access-list VPN interface outside
Then with:
show capture CAP_VPN
You will be able to see the packet capture on the ASA, though you can export the capture to a packet sniffer as follow:
11-27-2014 11:07 AM
I tried but still [Capturing - 0 bytes]
11-27-2014 12:24 PM
Hi,
You can do it bidirectional as follow:
access-list VPN extended permit ip host 10.10.10.10 any
access-list VPN extended permit ip any host 10.10.10.10
Capture CAP_VPN access-list VPN interface outside
Make sure that is the IP address assigned to the VPN user and that is the correct outside interface name.
Let me know if you could get the information you were trying to reach.
Please don´t forget to rate and mark as correct the helpful Post!
David Castro,
Regards,
11-27-2014 12:31 PM
Hi David,
Done but still no traffic. Logs shows the traffic but not packet-capture.
Do I need to mention that sysopt is enable. Will it be playing some role here ?
11-28-2014 05:23 AM
Hi,
The traffic will be received in the inside interface, so go ahead and place this capture:
Capture CAP_VPN interface <inside> match ip host 10.10.10.10 any
The interface name is the interface where you are sending the traffic.
Let me know if you could get the information you were trying to reach.
Please don´t forget to rate and mark as correct the helpful Post!
David Castro,
Regards,
11-28-2014 09:35 AM
capture CAP_VPN type raw-data interface INSIDE [Capturing - 0 bytes]
match ip host 10.10.62.16 any
11-28-2014 09:40 AM
Hello,
Make sure there is not a asymmetric routing issue, do a trace route on the computer and on the ASA to see what is the path the traffic is taking now.
Also with a capture <drop>, to see if the traffic is being taken down.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide