Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

packet capture access list on vpn filter

I just setup a VPN filter to secure traffic between two of our facilities. Like a good security admin, I'm only allowing good ports and blocking everything else. Now I'm seeing unidirectional packet loss.

I wanted to set up a packet capture to detect which packets were being allowed and which were being dropped. However, none of my packet captures are showing any packets captured. I've tried the following captures.

 

 capture derp type raw-data interface xo [Capturing - 0 bytes]
  match ip 10.1.8.0 255.255.252.0 any

 

capture derp type raw-data access-list 105 interface xo [Capturing - 0 bytes]

capture derp type raw-data interface asa_dataplane [Capturing - 0 bytes]
  match ip 10.1.8.0 255.255.252.0 any

 

 

This is definitely a formatting issue on my part as I'm not detecting traffic from subnets that passing traffic successfully.

 

Any help would be appreciated. Thank you.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Hi Michael,do not change the

Hi Michael,

do not change the VPN filter..... you just create a dummy access-list just for capture and have that as any any rule and use that for capture.

 

Regards

Karthik

4 REPLIES

Hi, I have tested this in my

Hi,

 

I have tested this in my lab....

capture derp type raw-data access-list 105 interface xo

it works cool !!!  i hope you are capturing it on inside interface of the firewall for capturing the traffic.... if your LAN is 10.1.8.0/22.....

 

else put an access-list with any any.... and see how vpn traffic is getting through it...... capture will not show anything if mapping is wrong.....

 

Regards

Karthik

New Member

Thank you for the response

Thank you for the response!

However, the xo interface is our outside interface and the 10.1.8.0/22 subnet is from our remote facility.

 

I tried creating the permit any any ACL and applying it as a vpn filter, but I got this error when I tried to capture.

access-list derp line 1 extended permit ip any any (hitcnt=0) 0xab0757a7

ERROR: Capture doesn't support access-list <derp> containing mixed policies

Hi Michael,do not change the

Hi Michael,

do not change the VPN filter..... you just create a dummy access-list just for capture and have that as any any rule and use that for capture.

 

Regards

Karthik

New Member

This did not work either,

This did not work either, however I was able to create a capture on our inside interface to achieve what I wanted to do.

Thanks for the help anyway

79
Views
0
Helpful
4
Replies
CreatePlease to create content