I use the packet tracer tool quite often on ASA's. A Cisco engineer told me its better to always do the traces from the inside out, because traffic coming from the VPN is encrypted and we cannot inject encrypted traffic. He also said its a good idea to run it twice just incase the VPN isn't up already.
packet-tracer input INSIDE tcp 192.168.10.10 22 172.30.10.10 4444 detailed
instead of
packet-tracer input OUTSIDE tcp 172.30.10.10 4444 192.168.10.10 22 detailed
When we see the follow at the end of our trace
Type: VPN
Subtype: encrypt
Result: ALLOW
We know the data was encrypted and sent over the VPN
I've also seen
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Everything looked good on my end. The other need needed to update the proxy ID's.
No comments:
Post a Comment