cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3908
Views
0
Helpful
2
Replies

Hit count in ASA

mahesh18
Level 6
Level 6

Hi everyone,

Need to confirm how hit count is incremented in ASA.

I am pinging IP from PC connected to ASA  .

PC has send 4 packets

Here is ASA info

ciscoasa#                                                         sh access-li$

access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list ICMP; 1 elements; name hash: 0x2d2cf426

access-list ICMP line 1 extended permit icmp any any echo-reply log informational interval 300 (hitcnt=3) 0x0b307247

ciscoasa#  ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=33 len=32

ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335

ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=33 len=32

ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1

ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=34 len=32

ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335

ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=34 len=32

ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1

ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=35 len=32

ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335

ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=35 len=32

ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1

ICMP echo request from inside:192.168.1.6 to outside:4.2.2.2 ID=1 seq=36 len=32

ICMP echo request translating inside:192.168.1.6/1 to outside:192.168.11.2/21335

ICMP echo reply from outside:4.2.2.2 to inside:192.168.11.2 ID=21335 seq=36 len=32

ICMP echo reply untranslating outside:192.168.11.2/21335 to inside:192.168.1.6/1

ciscoasa#                                                         sh access-li$

access-list cached ACL log flows: total 1, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list ICMP; 1 elements; name hash: 0x2d2cf426

access-list ICMP line 1 extended permit icmp any any echo-reply log informational interval 300 (hitcnt=4) 0x0b307247

We can see that after the ping hit count has gone from 3 to 4.

So does  this mean that for every 4 packets sent by PC  Hit count increments with 1?

Thanks

Mahesh

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, that is correct.

Access-list on ASA only matches on the first connection, and the subsequent packets within the same connection will be allowed by default as it is part of the same connections. ASA is a stateful firewall so it has a state table to store the existing connections.

Hope that helps.

View solution in original post

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, that is correct.

Access-list on ASA only matches on the first connection, and the subsequent packets within the same connection will be allowed by default as it is part of the same connections. ASA is a stateful firewall so it has a state table to store the existing connections.

Hope that helps.

Hi Jennifer,

Thanks again for prompt  reply

Regards

MAhesh

Review Cisco Networking for a $25 gift card