Cool so it will actually bring up phase 1 and phase 2 or just phase 1? When I said it won't work I meant I doubt any traffic would actually flow:)
Thanks and regards Yogesh Gawankar --- On Tue, 8/17/10, Jimmy Larsson <[email protected]> wrote: From: Jimmy Larsson <[email protected]> Subject: Re: [OSL | CCIE_Security] Packet tracer To: "Farzad A. Cheema" <[email protected]> Cc: "Yogesh Gawankar" <[email protected]>, "OSL Security" <[email protected]> Date: Tuesday, August 17, 2010, 4:23 AM Now I have verified, and it is actually true what I heard. If you have a VPN-tunnel configured and that is not up (no sa:s built) and you use the packet-tracer to emulate a packet thru that tunnel, the ASA actually builds the tunnel. It never send the packet of course. After bringing the ipsec sa up it is still "#pkts encaps: 0". Sorry guys, but you were wrong. ;) /Jimmy 2010/8/16 Farzad A. Cheema <[email protected]> I have tried it too but never got accurate results. It gives me same output for literally anything. To bring the tunnel up, you can generate the interesting traffic by pinging from a host inside you ASA. Cheers, Farzad On 16 August 2010 14:02, Yogesh Gawankar <[email protected]> wrote: No it won't work . Thanks and regards Yogesh Gawankar --- On Mon, 8/16/10, Jimmy Larsson <[email protected]> wrote: From: Jimmy Larsson <[email protected]> Subject: [OSL | CCIE_Security] Packet tracer To: "OSL Security" <[email protected]> Date: Monday, August 16, 2010, 10:53 PM Hi guys I heard someone mentioning that the packet-tracer in ASA initiates the VPN-tunnel (SA:s) if that is needed for the tested packet-flow. I have no resources to test that here and now, can someone confirm? So if I have a L2L-tunnel configured but SA:s are down, if I do packet-trace with a local source ip and a remote destination ip that matches the crypto acl, it will actually bring the tunnel up? /Jimmy -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu ------- -----Inline Attachment Follows----- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -- Regards, Farzad A. Cheema -------------------------------- -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
