Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1333
Views
0
Helpful
4
Replies

Packet-Tracer for l2l vpn

Go to solution
smetieh001
Level 1
Level 1

‎12-12-2013 07:17 AM

Can someone help with the currect packet-tracer command for l2l ipsec vpn

on ASA (a)

ciscoasa# packet-tracer input Outside tcp 10.10.1.2 12345 192.168.1.2 80

ASA (a)

Inside ip address - 192.168.1.2

Destination port 80

ASA (b)

Inside ip address - 10.10.1.2

Source port 12345

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to smetieh001

‎12-13-2013 07:27 AM

Hi,

So if your "inside" host is 192.168.1.2 and the "outside" host is 10.10.1.2 then you could just the following

packet-tracer input inside tcp 192.168.1.2 12345 10.10.1.2 80

If the goal is just to test the VPN negotiation then the ports dont really matter but naturally the traffic tested with "packet-tracer" must be allowed by your "inside" interface ACL.  The main thing is that the source and destination address match the L2L VPN configurations (Crypto ACL)

Typically you would be using NAT0 for these local and remote networks so NAT should not be a problem testing this direction. I guess there might be rare situations where using the command in this direction would not be possible

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
smetieh001
Level 1
Level 1

‎12-13-2013 06:12 AM

My question is that, can i use the above packet tracer command to confirm connectivity between two ends of a site-to-site vpn tunnel? Someone please respond...

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to smetieh001

‎12-13-2013 06:19 AM

Hi,

You wont be able to initiate the L2L VPN negotiation from the external interface since the ASA is expecting an encrypted/encapsulated packet.

I would suggest using the "inside" as the source IP address and matching the source/destination IP and port for that direction. Even if connections were only initiated from the remote site in the actual setup this would still be enough to initiate the L2L VPN negotiation.

- Jouni

0 Helpful

Go to solution
smetieh001
Level 1
Level 1
In response to Jouni Forss

‎12-13-2013 06:31 AM

Thanks jouni. Could you rewrite the above command using your suggestion, just to be clear. Thanks

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to smetieh001

‎12-13-2013 07:27 AM

Hi,

So if your "inside" host is 192.168.1.2 and the "outside" host is 10.10.1.2 then you could just the following

packet-tracer input inside tcp 192.168.1.2 12345 10.10.1.2 80

If the goal is just to test the VPN negotiation then the ports dont really matter but naturally the traffic tested with "packet-tracer" must be allowed by your "inside" interface ACL.  The main thing is that the source and destination address match the L2L VPN configurations (Crypto ACL)

Typically you would be using NAT0 for these local and remote networks so NAT should not be a problem testing this direction. I guess there might be rare situations where using the command in this direction would not be possible

- Jouni

0 Helpful
Customers Also Viewed These Support Documents