Solved: capture CAP_VPN type raw-data

Pushpendra Yadav · ‎11-25-2014

Hi Team,

Please help me to set ACL and capture for Remote Access VPN traffic.

Requirement is to see how much traffic is flowing from that Source IP.

Source : Remote Access VPN IP(Tunneled) 10.10.10.10

Destination : any

This is what I did which is not working

access-list VPN extended permit tcp host 10.10.10.10 any

capture CAP_VPN type raw-data access-list VPN interface OUTSIDE

David Johan Castro Fernandez · ‎11-27-2014

Hello,

If you set up the capture with that access list, you are filtering just TCP traffic, therefore you won't be able to see UDP or ICMP traffic too, I would recommend you using the same ACL, though using IP:

access-list VPN extended permit ip host 10.10.10.10 any

Capture CAP_VPN access-list VPN interface outside

Then with:

show capture CAP_VPN

You will be able to see the packet capture on the ASA, though you can export the capture to a packet sniffer as follow:

https://<ip address of asa>/capture/<capname>/pcap capname-->CAP

For further details of captures you can find it on this link

Let me know if you could get the information you were trying to reach.

Please don´t forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

View solution in original post

David Johan Castro Fernandez · ‎11-27-2014

Hello,

If you set up the capture with that access list, you are filtering just TCP traffic, therefore you won't be able to see UDP or ICMP traffic too, I would recommend you using the same ACL, though using IP:

access-list VPN extended permit ip host 10.10.10.10 any

Capture CAP_VPN access-list VPN interface outside

Then with:

show capture CAP_VPN

You will be able to see the packet capture on the ASA, though you can export the capture to a packet sniffer as follow:

https://<ip address of asa>/capture/<capname>/pcap capname-->CAP

For further details of captures you can find it on this link

Let me know if you could get the information you were trying to reach.

Please don´t forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

Pushpendra Yadav · ‎11-27-2014

I tried but still [Capturing - 0 bytes]

David Johan Castro Fernandez · ‎11-27-2014

Hi,

You can do it bidirectional as follow:

access-list VPN extended permit ip host 10.10.10.10 any

access-list VPN extended permit ip any host 10.10.10.10

Capture CAP_VPN access-list VPN interface outside

Make sure that is the IP address assigned to the VPN user and that is the correct outside interface name.

Let me know if you could get the information you were trying to reach.

Please don´t forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

Pushpendra Yadav · ‎11-27-2014

Hi David,

Done but still no traffic. Logs shows the traffic but not packet-capture.

Do I need to mention that sysopt is enable. Will it be playing some role here ?

David Johan Castro Fernandez · ‎11-28-2014

Hi,

The traffic will be received in the inside interface, so go ahead and place this capture:

Capture CAP_VPN interface <inside> match ip host 10.10.10.10 any

The interface name is the interface where you are sending the traffic.

Let me know if you could get the information you were trying to reach.

Please don´t forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

Pushpendra Yadav · ‎11-28-2014

capture CAP_VPN type raw-data interface INSIDE [Capturing - 0 bytes]
match ip host 10.10.62.16 any

David Johan Castro Fernandez · ‎11-28-2014

Hello,

Make sure there is not a asymmetric routing issue, do a trace route on the computer and on the ASA to see what is the path the traffic is taking now.

Also with a capture <drop>, to see if the traffic is being taken down.

Regards,

Packet Capture for VPN traffic