Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

asa: capture hairpinning packets on outside interface

Hi,

 

I try to capture packets between remote access users in different profile/tunnel in order to find out where packets are droped,

i try in this way:

 

access-list test permit ip 192.168.1.11 192.168.2.11

access-list test permit ip 192.168.2.11 192.168.1.11

capture capin access-list capin interface outside real-time

 

but there is nothing on capture output.

addresses 192.168.x.y are from ip local pool for remote access users

 

thanks for help

Peter

3 REPLIES
Cisco Employee

Hi ,The reason you are not

Hi ,

The reason you are not able to see packets on the outside interface is due to the packets being encrypted.
When the packet leaves the client , it is encrypted and the ip addresses that are visible outside are Public IP of the client and VPN headend.
You might want to take these captures (having ip from VPN pools) on remote VPN users to verify packet reachability.
HTH

Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

New Member

There is other place or way

There is other place or way to check  packets reachability between two remote access users or two s2s tunnels ? All of them use outside interface.  I see that packets enter the tunnel on one end but i can't see this packets leave the end of second tunnel.. 

Cisco Employee

You might want to check the

You might want to check the tunnel statistics on Hub side to see if the packets are getting encapsulated on the right tunnel.
Also, make sure "same-security-traffic permit intra-interface" and natting is properly configured on the hub device.

Regards,

Dinesh Moudgil

153
Views
0
Helpful
3
Replies
CreatePlease to create content