12-02-2009 04:42 AM
Is it possible from the CLI to source interesting traffic to bring up or otherwise test a VPN policy?
Solved! Go to Solution.
12-02-2009 06:35 AM
AFAIK - this is not possible, as you cannot create a tcp/udp/icmp from a source interface in the device.
12-02-2009 06:35 AM
AFAIK - this is not possible, as you cannot create a tcp/udp/icmp from a source interface in the device.
12-02-2009 07:27 AM
I did not think so, but with all the new features in 8.X I was thinking I had not seen the "new and improved" extended ping like IOS routers have.
12-02-2009 07:47 AM
it could be a good testing tool, however thinking if a firewall was compromised......being able to do that would be bad!
12-02-2009 09:29 AM
ASA and PIX 7.X have a feature call packet tracer, this tool allows the asa to trace the path that a packet will follow by "simulating" this packet as it arrives on the selected interface and goes through the whole appliance, this can be used to simulate a packet going from inside to outside matching the vpn policy, there was a bug on some versions where this feature would not match the vpn policy hopefully it has been fixed.
As well you can use the management-access interface command to use the inside or whichever interface you want to source the traffic via a ping and make the tunnel to come up, note this management access traffic generated command will not be subject to nat or to some filtering polices so it might not apply completely, check the following links:
Packet tracer command reference
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788
management access command reference
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1987122
hth
Ivan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: