cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1058
Views
0
Helpful
5
Replies

Penetration Test to IPSec Tunnel in ASA 5510 FW

Nay Myo Tun
Level 1
Level 1

Hi,

I have one network deployment project and have setup the IPSec site to site VPN tunnel using the ASA 5510 FW.But according to our customer requirment, we need to prove that the tunnel shouldn't be able to sniff the data betwwen two sites. Is there any way to conduct peneration test in order to prove that tunnel is not able to sniff the packet/ data between two sites?

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

Is it possible for you to put a hardware tap in? If so, put it in and try a packet capture and view the results.

May I know what kind of HW do you suggest to tap in ? Or any recommend

ation of sniffing utillity/ tools ?

For a network TAP-

http://www.networktaps.com/

For a sniffer, a free one is Wireshark. It's not greatest tool, but it will work fine in your situation-

www.wireshark.org

ROBERTO TACCON
Level 4
Level 4

Hi,

I advise the following service:

http://www.nta-monitor.com/services/externalservices.html#vpn

Regards

Roberto Taccon

Mark Rigby
Level 1
Level 1

Connect the outside interface of the ASA to a Catalyst switch along with your WAN router, then SPAN the port(s) and collect the data in wireshark. This would emulate someone outside the FW trying to look at traffic traversing between the two sitesm you will need to be using public ip addressing on the outside of the ASA of course.

Obviously dont use a switch that is connected to your production network unless you create an isolated vlan on said switch for the purpose of testing this configuration. You could also do this will a completely separate hub on a temporary basis.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: