Solved

Why ACL hitcnt number do not change after ping other side user in asa vpn

Posted on 2014-10-22
12
349 Views
Last Modified: 2014-10-28
Hi Expert
I have a question when i am doing lan to lan vpn. After i setup the vpn, one side user can ping other side user, but i notice after i show access-list in asa, the result show hitcnt number do not change. i do not know why it happen like that since the traffic goes through that acl.

Please see the following:

ASA# sh access-list  
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Sales; 8 elements; name hash: 0x98ffc0
access-list Sales line 1 extended permit ip 10.154.179.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=3) 0x98950ed
0
Comment
Question by:EESky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40398296
Ping is a member of ICMP protocol suite not IP protocol. Add a line allowing/denying icmp and observer the results.
access-list line 2 extended permit icmp any any
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40399077
Yep ICMP is a different protocol suite, your ACL is for IP

PL
0
 

Author Comment

by:EESky
ID: 40402558
Thanks for your fast reply. i removed all ACL and added new one which just allow icmp go through the tunnel. however i noticed the number of hitcnt is not related with ping times. And the hitcnt is not 0, but it is 3. I am curious about which packet cause the 3
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40402684
ICMP is a protocol suite and other utilities like traceroute might have been run as well.
For a more granular monitoring, you can open ASDM and view syslogs, filter with the source IP maybe.
0
 

Author Comment

by:EESky
ID: 40403111
The hitcnt number might not related with vpn’ acl
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40403173
Can you elaborate on "VPN's ACL"? There are various points to place ACL. Can you post the part of the config where you put the acl in use?
0
 

Author Comment

by:EESky
ID: 40407752
In order to confirm this issue, we use the topology like this:   asa1 ------ R2 ------- asa3.  asa 1 and asa3 can ping each other' outside

We can not know how the 3 (hitcnt=3) come from , and the number here do not change even if ping many times from one side user to other

------------------------------------------------
asa3(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list ACL; 1 elements; name hash: 0xdd71d952
access-list ACL line 1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=3) 0x4dac3083

--------------------
asa1(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 12.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 23.1.1.3
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 23.1.1.3 type ipsec-l2l
tunnel-group 23.1.1.3 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:35318b1ad2e24441aa8bacec500fe128
: end
asa1(config)#

---------------------------------

asa3(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 23.1.1.3 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 23.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 12.1.1.1
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:51b5fbcad65f9ef63d6b7029ea909547
: end
asa3(config)#
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40407763
Add the following and try again
access-list ACL extended permit icmp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
0
 

Author Comment

by:EESky
ID: 40409903
Thank you for your reply. I removed all acl and added new acl for icmp on both asa, the situation is same as before. I think the count (hitcnt) might need access-group. but the count is no zero even if it has no access-group
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 40409929
Just observed that you use it for interesting traffic. Read usage guidelines section in the following for your answer.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/c5.html#wp2238243
0
 

Author Comment

by:EESky
ID: 40409938
Thank you, Alan. right!
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 40409953
You are welcome :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month6 days, 23 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question