Solved

Why ACL hitcnt number do not change after ping other side user in asa vpn

Posted on 2014-10-22
12
344 Views
Last Modified: 2014-10-28
Hi Expert
I have a question when i am doing lan to lan vpn. After i setup the vpn, one side user can ping other side user, but i notice after i show access-list in asa, the result show hitcnt number do not change. i do not know why it happen like that since the traffic goes through that acl.

Please see the following:

ASA# sh access-list  
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Sales; 8 elements; name hash: 0x98ffc0
access-list Sales line 1 extended permit ip 10.154.179.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=3) 0x98950ed
0
Comment
Question by:EESky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40398296
Ping is a member of ICMP protocol suite not IP protocol. Add a line allowing/denying icmp and observer the results.
access-list line 2 extended permit icmp any any
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40399077
Yep ICMP is a different protocol suite, your ACL is for IP

PL
0
 

Author Comment

by:EESky
ID: 40402558
Thanks for your fast reply. i removed all ACL and added new one which just allow icmp go through the tunnel. however i noticed the number of hitcnt is not related with ping times. And the hitcnt is not 0, but it is 3. I am curious about which packet cause the 3
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40402684
ICMP is a protocol suite and other utilities like traceroute might have been run as well.
For a more granular monitoring, you can open ASDM and view syslogs, filter with the source IP maybe.
0
 

Author Comment

by:EESky
ID: 40403111
The hitcnt number might not related with vpn’ acl
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40403173
Can you elaborate on "VPN's ACL"? There are various points to place ACL. Can you post the part of the config where you put the acl in use?
0
 

Author Comment

by:EESky
ID: 40407752
In order to confirm this issue, we use the topology like this:   asa1 ------ R2 ------- asa3.  asa 1 and asa3 can ping each other' outside

We can not know how the 3 (hitcnt=3) come from , and the number here do not change even if ping many times from one side user to other

------------------------------------------------
asa3(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list ACL; 1 elements; name hash: 0xdd71d952
access-list ACL line 1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=3) 0x4dac3083

--------------------
asa1(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 12.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 23.1.1.3
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 23.1.1.3 type ipsec-l2l
tunnel-group 23.1.1.3 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:35318b1ad2e24441aa8bacec500fe128
: end
asa1(config)#

---------------------------------

asa3(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 23.1.1.3 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 23.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 12.1.1.1
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:51b5fbcad65f9ef63d6b7029ea909547
: end
asa3(config)#
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40407763
Add the following and try again
access-list ACL extended permit icmp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
0
 

Author Comment

by:EESky
ID: 40409903
Thank you for your reply. I removed all acl and added new acl for icmp on both asa, the situation is same as before. I think the count (hitcnt) might need access-group. but the count is no zero even if it has no access-group
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 40409929
Just observed that you use it for interesting traffic. Read usage guidelines section in the following for your answer.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/c5.html#wp2238243
0
 

Author Comment

by:EESky
ID: 40409938
Thank you, Alan. right!
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40409953
You are welcome :)
0

Featured Post

Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VPN problems 4 92
Port# 500 and 4500 not open by ISP 10 88
VoIP Polycom Phones not working 30 70
How to disable sflow Cisco nexus 9k 3 52
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question