Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Packet-Tracer for l2l vpn

Can someone help with the currect packet-tracer command for l2l ipsec vpn

on ASA (a)

ciscoasa# packet-tracer input Outside tcp 10.10.1.2 12345 192.168.1.2 80

ASA (a)

Inside ip address - 192.168.1.2

Destination port 80

ASA (b)

Inside ip address - 10.10.1.2

Source port 12345

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Packet-Tracer for l2l vpn

Hi,

So if your "inside" host is 192.168.1.2 and the "outside" host is 10.10.1.2 then you could just the following

packet-tracer input inside tcp 192.168.1.2 12345 10.10.1.2 80

If the goal is just to test the VPN negotiation then the ports dont really matter but naturally the traffic tested with "packet-tracer" must be allowed by your "inside" interface ACL.  The main thing is that the source and destination address match the L2L VPN configurations (Crypto ACL)

Typically you would be using NAT0 for these local and remote networks so NAT should not be a problem testing this direction. I guess there might be rare situations where using the command in this direction would not be possible

- Jouni

4 REPLIES
New Member

Packet-Tracer for l2l vpn

My question is that, can i use the above packet tracer command to confirm connectivity between two ends of a site-to-site vpn tunnel? Someone please respond...

Super Bronze

Packet-Tracer for l2l vpn

Hi,

You wont be able to initiate the L2L VPN negotiation from the external interface since the ASA is expecting an encrypted/encapsulated packet.

I would suggest using the "inside" as the source IP address and matching the source/destination IP and port for that direction. Even if connections were only initiated from the remote site in the actual setup this would still be enough to initiate the L2L VPN negotiation.

- Jouni

New Member

Packet-Tracer for l2l vpn

Thanks jouni. Could you rewrite the above command using your suggestion, just to be clear. Thanks

Super Bronze

Packet-Tracer for l2l vpn

Hi,

So if your "inside" host is 192.168.1.2 and the "outside" host is 10.10.1.2 then you could just the following

packet-tracer input inside tcp 192.168.1.2 12345 10.10.1.2 80

If the goal is just to test the VPN negotiation then the ports dont really matter but naturally the traffic tested with "packet-tracer" must be allowed by your "inside" interface ACL.  The main thing is that the source and destination address match the L2L VPN configurations (Crypto ACL)

Typically you would be using NAT0 for these local and remote networks so NAT should not be a problem testing this direction. I guess there might be rare situations where using the command in this direction would not be possible

- Jouni

293
Views
0
Helpful
4
Replies
CreatePlease to create content