Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 369
  • Last Modified:

Why ACL hitcnt number do not change after ping other side user in asa vpn

Hi Expert
I have a question when i am doing lan to lan vpn. After i setup the vpn, one side user can ping other side user, but i notice after i show access-list in asa, the result show hitcnt number do not change. i do not know why it happen like that since the traffic goes through that acl.

Please see the following:

ASA# sh access-list  
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list Sales; 8 elements; name hash: 0x98ffc0
access-list Sales line 1 extended permit ip 10.154.179.0 255.255.255.0 10.0.0.0 255.0.0.0 (hitcnt=3) 0x98950ed
0
EESky
Asked:
EESky
  • 6
  • 5
1 Solution
 
Alan Huseyin KayahanCommented:
Ping is a member of ICMP protocol suite not IP protocol. Add a line allowing/denying icmp and observer the results.
access-list line 2 extended permit icmp any any
0
 
Pete LongConsultantCommented:
Yep ICMP is a different protocol suite, your ACL is for IP

PL
0
 
EESkyAuthor Commented:
Thanks for your fast reply. i removed all ACL and added new one which just allow icmp go through the tunnel. however i noticed the number of hitcnt is not related with ping times. And the hitcnt is not 0, but it is 3. I am curious about which packet cause the 3
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
Alan Huseyin KayahanCommented:
ICMP is a protocol suite and other utilities like traceroute might have been run as well.
For a more granular monitoring, you can open ASDM and view syslogs, filter with the source IP maybe.
0
 
EESkyAuthor Commented:
The hitcnt number might not related with vpn’ acl
0
 
Alan Huseyin KayahanCommented:
Can you elaborate on "VPN's ACL"? There are various points to place ACL. Can you post the part of the config where you put the acl in use?
0
 
EESkyAuthor Commented:
In order to confirm this issue, we use the topology like this:   asa1 ------ R2 ------- asa3.  asa 1 and asa3 can ping each other' outside

We can not know how the 3 (hitcnt=3) come from , and the number here do not change even if ping many times from one side user to other

------------------------------------------------
asa3(config)# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list ACL; 1 elements; name hash: 0xdd71d952
access-list ACL line 1 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=3) 0x4dac3083

--------------------
asa1(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 12.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 23.1.1.3
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 23.1.1.3 type ipsec-l2l
tunnel-group 23.1.1.3 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:35318b1ad2e24441aa8bacec500fe128
: end
asa1(config)#

---------------------------------

asa3(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 23.1.1.3 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list ACL extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 23.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TS esp-3des esp-sha-hmac
crypto map MAP 1 match address ACL
crypto map MAP 1 set peer 12.1.1.1
crypto map MAP 1 set ikev1 transform-set TS
crypto map MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 10000
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha    
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 12.1.1.1 type ipsec-l2l
tunnel-group 12.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
call-home reporting anonymous prompt 2
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:51b5fbcad65f9ef63d6b7029ea909547
: end
asa3(config)#
0
 
Alan Huseyin KayahanCommented:
Add the following and try again
access-list ACL extended permit icmp 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
0
 
EESkyAuthor Commented:
Thank you for your reply. I removed all acl and added new acl for icmp on both asa, the situation is same as before. I think the count (hitcnt) might need access-group. but the count is no zero even if it has no access-group
0
 
Alan Huseyin KayahanCommented:
Just observed that you use it for interesting traffic. Read usage guidelines section in the following for your answer.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/c5.html#wp2238243
0
 
EESkyAuthor Commented:
Thank you, Alan. right!
0
 
Alan Huseyin KayahanCommented:
You are welcome :)
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now