Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
646
Views
0
Helpful
6
Replies

Hit counts are not coming on pix 515E with 7.0.2 OS

ramachandra.p
Level 1
Level 1

‎04-24-2006 08:53 AM - edited ‎02-21-2020 12:51 AM

Hi,,

I am having pix 515E with 7.0.2 os. I configured policy based nat and applied on the nat (inside) 1 access-list (access-list name)with global (outside) 1 interface command.

The network diagram as follows.

L3 switch-->pix 515E--->router 1700

In L3 i am having follwing vlans 192.168.16.0,192.168.14.0,192.168.224.0 and 192.168.14.0. PIX inside ip address is 192.168.224.20 and pix outside is 203.x.x.x. In L3 i configured static route( destiantion ip address and next hop is pix inside ip address).

In PIX defult route towards router ethernet interface and route inside is also configured. For policy based nat traslation is happening through pat.

From LAn which is behind pix i can able to access the sites . Translation and in show connection output i can able to see the status it was established. But i cannot able to see the any hit counts on the access-list, which is configured as policy based nat

Please help me to resolve the issue.

Thanks in advance.

Regards,

Ram

0 Helpful
6 Replies 6

Fernando_Meza
Level 7
Level 7

‎04-24-2006 03:14 PM

Hi .. if you can't see hits then you have 2 reasons:

1.- Traffic is not matching your access-list OR

2.- you have another entry on the access-list which is alredy allowing that traffic. This entry is probably at the top before the one you are expecting to see hit counts.

Please post your configs to have a better idea of what is causing your issue ..

0 Helpful

ramachandra.p
Level 1
Level 1
In response to Fernando_Meza

‎04-24-2006 09:25 PM

Hi Fernando,

Thanks for your quick response.

I am sending you the config, Please help me to resolve the issue.

Regards,

RaM

Preview file
5 KB
0 Helpful

Fernando_Meza
Level 7
Level 7
In response to ramachandra.p

‎04-24-2006 11:36 PM

from your config you should be able to connect and see hits when you initiate a connection from any host on the subnets 192.168.14.0; 192.168.15.0;192.168.16.0 destined to 4 hosts only:

3 hosts 209.X.X.X and 1 63.X.X.X

How are you doing the testing ..?

0 Helpful

aashish.c
Level 4
Level 4

‎04-24-2006 11:50 PM

hi ram

this is aashish. this is bug in 7.0.2. here is the bug : CSCei20809

Symptom:

When an acl is attached to a nat or nat-exempt statement, the acl counters are not incrementing.

Conditions:

all

Workaround:

none.

hows work. hope this resolves ur isue.

regards

aashish C

0 Helpful

ramachandra.p
Level 1
Level 1
In response to aashish.c

‎04-25-2006 06:15 AM

Hi Aashish,

Thanks for your reply. Now i configured the access-list and i bound to the inside interface and

nat (inside)1 192.168.16.0 255.255.255.0

nat (inside)1 192.168.14.0 255.255.255.0

nat (inside)1 192.168.15.0 255.255.255.0

with global (outside) 1 interface. The above said hitcount problem is solved, but whenevr if i tried to traceroute the destination the packet will reach to vlan ip address that is 192.168.16.4 and it will drop afterwards. Please let me know to comeout of this problem. The network diagram is as follows.

L3switch with 4 vlans--->pix firewall---->1700 router

Regards,

Ram

0 Helpful

ramachandra.p
Level 1
Level 1
In response to ramachandra.p

‎04-25-2006 06:17 AM

Hi,

The packet will drop at 192.168.16.4 because i am tryin from 192.168.16.0 vlan. In the previous conversation i didn't mentioned that part.

Regards,

Ram

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card