Need to count IP address hits

Hello

Task - I have been asked to check if certain NAT rules are being utilized at this time, usually this would be a matter of looking at the firewall (ASA in my case) or to simply look at the end devices to check if there's any incoming traffic from the outside. Either option is not available right now.

Scenario - We currently use the ISP as our firewall, they firewall and NAT outside addresses into our internal addresses. The ISP doesn't provide NAT metrics to us. Incoming traffic hits our edge router and then our ASA (used for VPN mostly).

What I have tried - I put an ACL on our edge router interface (in) permitting the NATted to internal ip addresses expecting to  see some ACL matches if hit. See text below for ACL and interface configs.
ON the ACL I have tried with and without the "LOG" option.

What is the method to collect IP traffic information on a Cisco 1941?

Any assistance would be greatly appreciated.

Thanks in advance
-----------------------
R1#show access-list

Standard IP access list 88
    20 permit 192.168.111.7
    30 permit 192.168.111.8
    10 deny   192.168.55.11
    40 permit 192.168.34.27
    50 permit 192.168.31.40
    60 permit 192.168.34.18
    70 permit 192.168.32.13
    80 permit 192.168.3.33
    90 permit 192.168.25.6
    100 permit any (4920313 matches)
------------
R1#sh run int gig 0/0

interface GigabitEthernet0/0
 ip address 65.118.86.166 255.255.255.252
 ip access-group 88 in
 duplex full
 speed 100
--------------
CocoCountyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Garry GlendownConsulting and Network/Security SpecialistCommented:
You could also configure the ASA with rules for each device, it will also keep a counter on rule hits ... not exactly sure why you don't get any hits on the single IPs in the access list, unless the IOS is optimizing the access list matches (try adding an arbitrary deny rule between the last specific permit and the permit any rule ... not sure if that will do anything)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jan SpringerCommented:
if you can configure logging and log to an internal syslog server, the sky is the limit with analyzing the log data.
0
CocoCountyAuthor Commented:
Thank you Garry-G and Jan,

I will try both. I need to wait until Monday to do any work on the router. I will post the results then.

Thanks again
0
Garry GlendownConsulting and Network/Security SpecialistCommented:
If you are open to more extensive analysis, things like Netflow Accounting could deliver even more information ...
0
CocoCountyAuthor Commented:
The ACL with a deny statement did the job.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.