I have VPN tunnel setup between my PIX and a client. I have an access-list applied to my outside port to filter incoming traffic:
access-list acl-in permit esp host 220.127.116.11 host 18.104.22.168
access-list acl-in permit udp host 22.214.171.124 host 126.96.36.199 eq isakmp
access-list acl-in permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240
the first 2 lines of the access-list define the tunnel enpoints, and the last line permits the tunnel user
When I enter command 'show access-list acl-in' i see incrementing hit-count on the last line, but no hits on the first 2. Why is this ?
I've even entered command 'clear crypto isakmp sa', but the line still registers no hits.
I can see the tunnel being formed and packets encrypte/devrypted by analysing the crypto ipsec sa.
Do I need the first 2 lines
Have you got the following command in the PIX config?
sysopt connection permit-ipsec
If yes, none of these lines are required in the access-list.
If not, all are required also.
No, 'sysopt connection permit-ipsec' isn't configured.
Hence I find it strange that no hit-count on first 2 lines in access-list.
the command "sysopt connection permit-ipsec" would only affect the remote subnet and local subnet traffic. regardless whether the command is enabled or disabled, pix will process the incoming vpn request, and that's why the inbound acl (first 2 lines) has never been hitted.
I would still expect to see hit-counts, as every packet must be filtered before the tunnel endpoints can form the tunnel.
The setup in use is PIX-to-PIX.
I have other setups PIX-to-Router, whereby the Router has a similar access-list filtering inbound traffic. Here though I do see hits to the ESP and ISAKMP statements.
Is this another Cisco 'funny'. I'm using v6.3(4) on the PIX.
I would recommend a nat statement in the access-list so that you do not have the PIX do natting on the traffic that you are allowing into your network.
access-list no nat permit esp host 188.8.131.52 host 184.108.40.206
access-list nonat permit udp host 220.127.116.11 host 18.104.22.168 eq isakmp
access-list nonat permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240