×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Unable to capture packets on ASA(ASDM)

Unanswered Question
Jul 9th, 2012
User Badges:

Hi all,


We have site to site VPN connection to one of our client. From which we both are accessing our applications and other resources. Now client needs to acccess two of our internal server. So we have created Static NAT in our ASA. For one server they are accessing without any issues. But the other server they are not able to connect. Since its vpn tunnel we havent blocked any ports and its open to all traffic. But their side they have restricted and we need to see whether the packets hitting our ASA or not. Once we observes this, its easy for us to escalate them. I tried packet capture wizard in ASDM. But its not showing anything. Can anyone tell me how to capture packets realated to Static NAT. Please let me know if you want anyother details?



local 20.0.0.0/24 -->this will get natted to --->12.0.6.0/24 when going in for tunnel


we have created


static(outside,inside) 12.0.6.10 20.0.0.10 255.255.255.255 working

static(outside,inside) 12.0.6.11 20.0.0.11 255.255.255.255 not working, we need to check whether its hitting 12.0.6.11


Kindly advise...


Regards,


Bala

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 07/09/2012 - 20:18
User Badges:
  • Cisco Employee,

Your static NAT is incorrect, it's the other way round. It should be:


static (inside,outside) 12.0.6.10 20.0.0.10 netmask 255.255.255.255

static (inside,outside) 12.0.6.11 20.0.0.11 netmask 255.255.255.255


not sure if you want to restrict the NATing to that if you are just going towards the remote subnet, if you are then you would need to create static policy NAT as follows:


access-list nat-to-client permit ip 20.0.0.0 255.255.255.0

static (inside,outside) 12.0.6.0 access-list nat-to-client


the above will NAT the whole subnet of 20.0.0.0/24 when going towards remote client subnet to 12.0.6.0/24

Balakumaresan S... Mon, 07/09/2012 - 23:31
User Badges:

Jennifer,


Thanks for your reply. It was the typo in my question and added static nat properly with " netmask " statement. We have also added nat for nat to client but in our case we have used global nat. All other traffic to and fro in vpn is working fine. My doubt is whether in client side they have properly opened ports and configured nat correctly or not. If we capture packets for the respective traffic, we can easily corner the problem. Kindly check this and It would be really helpful if you guide me towards capturing packets.


Thanks,


Bala



Sent from Cisco Technical Support Android App

Jennifer Halim Tue, 07/10/2012 - 01:29
User Badges:
  • Cisco Employee,

Where are you trying to initiate the connection from?

If they are trying to initiate the connection towards your end, and the traffic doesn't reach your end, then there will be nothing on your ASA packet capture.

Please share what you have configured to capture the traffic?

To check if the traffic is reaching the inside interface, just configure ACL between source (real IP) and destination (remote IP), and apply the capture on the inside interface. This will confirm if the traffic is coming inbound towards the inside interface.

To check if the traffic is leaving the inside interface towards the host behind your ASA, configure ACL between source (remote IP), and destination (host real IP), and apply the capture on the inside interface. This will confirm if the traffic is leaving your ASA inside interface towards the host.

Actions

This Discussion

Related Content