Solved

Why ACL hitcnt number do not change after ping other side user in asa vpn

Posted on 2014-10-22
12
313 Views
Last Modified: 2014-10-28
Hi Expert
I have a question when i am doing lan to lan vpn. After i setup the vpn, one side user can ping other side user, but i notice after i show access-list in asa, the result show hitcnt number do not change. i do not know why it happen like that since the traffic goes through that acl.

Please see the following:

ASA# sh access-list  
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Sales; 8 elements; name hash: 0x98ffc0
access-list Sales line 1 extended permit ip 10.154.179.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=3) 0x98950ed
0
Comment
Question by:EESky
  • 6
  • 5
12 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40398296
Ping is a member of ICMP protocol suite not IP protocol. Add a line allowing/denying icmp and observer the results.
access-list line 2 extended permit icmp any any
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40399077
Yep ICMP is a different protocol suite, your ACL is for IP

PL
0
 

Author Comment

by:EESky
ID: 40402558
Thanks for your fast reply. i removed all ACL and added new one which just allow icmp go through the tunnel. however i noticed the number of hitcnt is not related with ping times. And the hitcnt is not 0, but it is 3. I am curious about which packet cause the 3
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40402684
ICMP is a protocol suite and other utilities like traceroute might have been run as well.
For a more granular monitoring, you can open ASDM and view syslogs, filter with the source IP maybe.
0
 

Author Comment

by:EESky
ID: 40403111
The hitcnt number might not related with vpn’ acl
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40403173
Can you elaborate on "VPN's ACL"? There are various points to place ACL. Can you post the part of the config where you put the acl in use?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:EESky
ID: 40407752
In order to confirm this issue, we use the topology like this:   asa1 ------ R2 ------- asa3.  asa 1 and asa3 can ping each other' outside

We can not know how the 3 (hitcnt=3) come from , and the number here do not change even if ping many times from one side user to other

------------------------------------------------
asa3(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list ACL; 1 elements; name hash: 0xdd71d952
access-list ACL line 1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=3) 0x4dac3083

--------------------
asa1(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 12.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 23.1.1.3
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 23.1.1.3 type ipsec-l2l
tunnel-group 23.1.1.3 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:35318b1ad2e24441aa8bacec500fe128
: end
asa1(config)#

---------------------------------

asa3(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 23.1.1.3 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 23.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 12.1.1.1
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:51b5fbcad65f9ef63d6b7029ea909547
: end
asa3(config)#
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40407763
Add the following and try again
access-list ACL extended permit icmp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
0
 

Author Comment

by:EESky
ID: 40409903
Thank you for your reply. I removed all acl and added new acl for icmp on both asa, the situation is same as before. I think the count (hitcnt) might need access-group. but the count is no zero even if it has no access-group
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 40409929
Just observed that you use it for interesting traffic. Read usage guidelines section in the following for your answer.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/c5.html#wp2238243
0
 

Author Comment

by:EESky
ID: 40409938
Thank you, Alan. right!
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40409953
You are welcome :)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now