Packet capture for an IPSec tunnel

jac1991
jac1991 used Ask the Experts™
on
Cisco IPSec tunnel need to find out who is the final destination of a file copy through the tunnel
packet capture won’t show me the true destination host. I see the peer ip and destination is the public ip of the asa

Example user initiates a copy through the tunnel I am trying to identify which host is initiating this copy
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
What we do for Juniper and Cisco RV units is to enable (turn on) Logging.

Then, once Logs have been enabled, review traffic logs.  That is where the IPsec traffic is recorded so that is the best way to do it.

Author

Commented:
John the logs aren’t showing which hosts are using the IPSec tunnel
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
You can try Wireshark or CommView (Tamosoft) to capture and analyze packets. You would need to look at each packet to try to determine tunnel traffic.  I think it will be very painstaking.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial