But how did you proof that if there is no "show" which can show us that? Which command did you use to see that?
On Tue, Aug 17, 2010 at 12:55 PM, Jimmy Larsson <[email protected]> wrote: > Both phase 1 and 2. > > /Jimmy > > > 2010/8/17 Yogesh Gawankar <[email protected]> > > Cool so it will actually bring up phase 1 and phase 2 or just phase 1? >> >> When I said it won't work I meant I doubt any traffic would actually >> flow:) >> >> >> Thanks and regards >> >> Yogesh Gawankar >> >> --- On *Tue, 8/17/10, Jimmy Larsson <[email protected]>* wrote: >> >> >> From: Jimmy Larsson <[email protected]> >> Subject: Re: [OSL | CCIE_Security] Packet tracer >> To: "Farzad A. Cheema" <[email protected]> >> Cc: "Yogesh Gawankar" <[email protected]>, "OSL Security" < >> [email protected]> >> Date: Tuesday, August 17, 2010, 4:23 AM >> >> >> Now I have verified, and it is actually true what I heard. If you have a >> VPN-tunnel configured and that is not up (no sa:s built) and you use the >> packet-tracer to emulate a packet thru that tunnel, the ASA actually builds >> the tunnel. >> >> It never send the packet of course. After bringing the ipsec sa up it is >> still "#pkts encaps: 0". >> >> Sorry guys, but you were wrong. ;) >> >> /Jimmy >> >> >> 2010/8/16 Farzad A. Cheema >> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >> > >> >> I have tried it too but never got accurate results. It gives me same >> output for literally anything. >> >> >> >> To bring the tunnel up, you can generate the interesting traffic by >> pinging from a host inside you ASA. >> >> >> Cheers, >> Farzad >> >> >> On 16 August 2010 14:02, Yogesh Gawankar >> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >> > wrote: >> >> No it won't work . >> >> Thanks and regards >> >> Yogesh Gawankar >> >> --- On *Mon, 8/16/10, Jimmy Larsson >> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >> >* wrote: >> >> >> From: Jimmy Larsson >> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >> > >> Subject: [OSL | CCIE_Security] Packet tracer >> To: "OSL Security" >> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >> > >> Date: Monday, August 16, 2010, 10:53 PM >> >> >> Hi guys >> >> I heard someone mentioning that the packet-tracer in ASA initiates the >> VPN-tunnel (SA:s) if that is needed for the tested packet-flow. I have no >> resources to test that here and now, can someone confirm? >> >> So if I have a L2L-tunnel configured but SA:s are down, if I do >> packet-trace with a local source ip and a remote destination ip that matches >> the crypto acl, it will actually bring the tunnel up? >> >> /Jimmy >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> -----Inline Attachment Follows----- >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> >> >> -- >> Regards, >> Farzad A. Cheema >> -------------------------------- >> >> >> >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
