Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
4
Replies

Source interesting VPN traffic from PIX/ASA

Go to solution
Phil Williamson
Level 1
Level 1

‎12-02-2009 04:42 AM

Is it possible from the CLI to source interesting traffic to bring up or otherwise test a VPN policy?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrew.prince
Level 10
Level 10

‎12-02-2009 06:35 AM

AFAIK - this is not possible, as you cannot create a tcp/udp/icmp from a source interface in the device.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
andrew.prince
Level 10
Level 10

‎12-02-2009 06:35 AM

AFAIK - this is not possible, as you cannot create a tcp/udp/icmp from a source interface in the device.

0 Helpful

Go to solution
Phil Williamson
Level 1
Level 1
In response to andrew.prince

‎12-02-2009 07:27 AM

I did not think so, but with all the new features in 8.X I was thinking I had not seen the "new and improved" extended ping like IOS routers have.

0 Helpful

Go to solution
andrew.prince
Level 10
Level 10
In response to Phil Williamson

‎12-02-2009 07:47 AM

it could be a good testing tool, however thinking if a firewall was compromised......being able to do that would be bad!

0 Helpful

Go to solution
Ivan Martinon
Level 7
Level 7

‎12-02-2009 09:29 AM

ASA and PIX 7.X have a feature call packet tracer, this tool allows the asa to trace the path that a packet will follow by "simulating" this packet as it arrives on the selected interface and goes through the whole appliance, this can be used to simulate a packet going from inside to outside matching the vpn policy, there was a bug on some versions where this feature would not match the vpn policy hopefully it has been fixed.

As well you can use the management-access interface command to use the inside or whichever interface you want to source the traffic via a ping and make the tunnel to come up, note this management access traffic generated command will not be subject to nat or to some filtering polices so it might not apply completely, check the following links:

Packet tracer command reference

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

management access command reference

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1987122

hth

Ivan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents