Penetration Test to IPSec Tunnel in ASA 5510 FW

Unanswered Question
Apr 15th, 2010


I have one network deployment project and have setup the IPSec site to site VPN tunnel using the ASA 5510 FW.But according to our customer requirment, we need to prove that the tunnel shouldn't be able to sniff the data betwwen two sites. Is there any way to conduct peneration test in order to prove that tunnel is not able to sniff the packet/ data between two sites?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Thu, 04/15/2010 - 08:17

Is it possible for you to put a hardware tap in? If so, put it in and try a packet capture and view the results.

Nay Myo Tun Fri, 04/16/2010 - 02:57

May I know what kind of HW do you suggest to tap in ? Or any recommend

ation of sniffing utillity/ tools ?

Mark Rigby Fri, 04/16/2010 - 07:19

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Connect the outside interface of the ASA to a Catalyst switch along with your WAN router, then SPAN the port(s) and collect the data in wireshark. This would emulate someone outside the FW trying to look at traffic traversing between the two sitesm you will need to be using public ip addressing on the outside of the ASA of course.

Obviously dont use a switch that is connected to your production network unless you create an isolated vlan on said switch for the purpose of testing this configuration. You could also do this will a completely separate hub on a temporary basis.


This Discussion