"show crypto ipsec sa" and "show crypto isakmp sa" showed no sa:s before doing the packet trace, but showed active sa:s afterwards. Also if I debug isakmp/ipsec I see that the tunnel goes up when I run the packet tracer.
Dont you believe me? :-) /Jimmy 2010/8/17 Bruno <[email protected]> > But how did you proof that if there is no "show" which can show us that? > Which command did you use to see that? > > > On Tue, Aug 17, 2010 at 12:55 PM, Jimmy Larsson <[email protected]>wrote: > >> Both phase 1 and 2. >> >> /Jimmy >> >> >> 2010/8/17 Yogesh Gawankar <[email protected]> >> >> Cool so it will actually bring up phase 1 and phase 2 or just phase 1? >>> >>> When I said it won't work I meant I doubt any traffic would actually >>> flow:) >>> >>> >>> Thanks and regards >>> >>> Yogesh Gawankar >>> >>> --- On *Tue, 8/17/10, Jimmy Larsson <[email protected]>* wrote: >>> >>> >>> From: Jimmy Larsson <[email protected]> >>> Subject: Re: [OSL | CCIE_Security] Packet tracer >>> To: "Farzad A. Cheema" <[email protected]> >>> Cc: "Yogesh Gawankar" <[email protected]>, "OSL Security" < >>> [email protected]> >>> Date: Tuesday, August 17, 2010, 4:23 AM >>> >>> >>> Now I have verified, and it is actually true what I heard. If you have a >>> VPN-tunnel configured and that is not up (no sa:s built) and you use the >>> packet-tracer to emulate a packet thru that tunnel, the ASA actually builds >>> the tunnel. >>> >>> It never send the packet of course. After bringing the ipsec sa up it is >>> still "#pkts encaps: 0". >>> >>> Sorry guys, but you were wrong. ;) >>> >>> /Jimmy >>> >>> >>> 2010/8/16 Farzad A. Cheema >>> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >>> > >>> >>> I have tried it too but never got accurate results. It gives me same >>> output for literally anything. >>> >>> >>> >>> To bring the tunnel up, you can generate the interesting traffic by >>> pinging from a host inside you ASA. >>> >>> >>> Cheers, >>> Farzad >>> >>> >>> On 16 August 2010 14:02, Yogesh Gawankar >>> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >>> > wrote: >>> >>> No it won't work . >>> >>> Thanks and regards >>> >>> Yogesh Gawankar >>> >>> --- On *Mon, 8/16/10, Jimmy Larsson >>> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >>> >* wrote: >>> >>> >>> From: Jimmy Larsson >>> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >>> > >>> Subject: [OSL | CCIE_Security] Packet tracer >>> To: "OSL Security" >>> <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> >>> > >>> Date: Monday, August 16, 2010, 10:53 PM >>> >>> >>> Hi guys >>> >>> I heard someone mentioning that the packet-tracer in ASA initiates the >>> VPN-tunnel (SA:s) if that is needed for the tested packet-flow. I have no >>> resources to test that here and now, can someone confirm? >>> >>> So if I have a L2L-tunnel configured but SA:s are down, if I do >>> packet-trace with a local source ip and a remote destination ip that matches >>> the crypto acl, it will actually bring the tunnel up? >>> >>> /Jimmy >>> >>> -- >>> ------- >>> Jimmy Larsson >>> Ryavagen 173 >>> s-26030 Vallakra >>> Sweden >>> http://blogg.kvistofta.nu >>> ------- >>> >>> -----Inline Attachment Follows----- >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >>> >>> >>> -- >>> Regards, >>> Farzad A. Cheema >>> -------------------------------- >>> >>> >>> >>> >>> -- >>> ------- >>> Jimmy Larsson >>> Ryavagen 173 >>> s-26030 Vallakra >>> Sweden >>> http://blogg.kvistofta.nu >>> ------- >>> >>> >> >> >> -- >> ------- >> Jimmy Larsson >> Ryavagen 173 >> s-26030 Vallakra >> Sweden >> http://blogg.kvistofta.nu >> ------- >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
