Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

asa: capture hairpinning packets on outside interface



I try to capture packets between remote access users in different profile/tunnel in order to find out where packets are droped,

i try in this way:


access-list test permit ip

access-list test permit ip

capture capin access-list capin interface outside real-time


but there is nothing on capture output.

addresses 192.168.x.y are from ip local pool for remote access users


thanks for help


Cisco Employee

Hi ,The reason you are not

Hi ,

The reason you are not able to see packets on the outside interface is due to the packets being encrypted.
When the packet leaves the client , it is encrypted and the ip addresses that are visible outside are Public IP of the client and VPN headend.
You might want to take these captures (having ip from VPN pools) on remote VPN users to verify packet reachability.

Dinesh Moudgil


P.S. Please rate helpful posts.

New Member

There is other place or way

There is other place or way to check  packets reachability between two remote access users or two s2s tunnels ? All of them use outside interface.  I see that packets enter the tunnel on one end but i can't see this packets leave the end of second tunnel.. 

Cisco Employee

You might want to check the

You might want to check the tunnel statistics on Hub side to see if the packets are getting encapsulated on the right tunnel.
Also, make sure "same-security-traffic permit intra-interface" and natting is properly configured on the hub device.


Dinesh Moudgil

CreatePlease to create content