10-25-2012 05:57 PM - edited 03-11-2019 05:14 PM
Hi everyone,
Need to confirm how hit count is incremented in ASA.
I am pinging IP from PC connected to ASA .
PC has send 4 packets
Here is ASA info
ciscoasa# sh access-li$
access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ICMP; 1 elements; name hash: 0x2d2cf426
access-list ICMP line 1 extended permit icmp any any echo-reply log informational interval 300 (hitcnt=3) 0x0b307247
ciscoasa# ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=33 len=32
ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335
ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=33 len=32
ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1
ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=34 len=32
ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335
ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=34 len=32
ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1
ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=35 len=32
ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335
ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=35 len=32
ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1
ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=36 len=32
ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335
ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=36 len=32
ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1
ciscoasa# sh access-li$
access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list ICMP; 1 elements; name hash: 0x2d2cf426
access-list ICMP line 1 extended permit icmp any any echo-reply log informational interval 300 (hitcnt=4) 0x0b307247
We can see that after the ping hit count has gone from 3 to 4.
So does this mean that for every 4 packets sent by PC Hit count increments with 1?
Thanks
Mahesh
Solved! Go to Solution.
10-25-2012 07:01 PM
Yes, that is correct.
Access-list on ASA only matches on the first connection, and the subsequent packets within the same connection will be allowed by default as it is part of the same connections. ASA is a stateful firewall so it has a state table to store the existing connections.
Hope that helps.
10-25-2012 07:01 PM
Yes, that is correct.
Access-list on ASA only matches on the first connection, and the subsequent packets within the same connection will be allowed by default as it is part of the same connections. ASA is a stateful firewall so it has a state table to store the existing connections.
Hope that helps.
10-25-2012 07:16 PM
Hi Jennifer,
Thanks again for prompt reply
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide