cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1135
Views
0
Helpful
6
Replies

inbound access-list: no hit count

andrewgreaves
Level 1
Level 1

I have VPN tunnel setup between my PIX and a client. I have an access-list applied to my outside port to filter incoming traffic:

access-list acl-in permit esp host 213.212.11.9 host 213.1.244.11

access-list acl-in permit udp host 213.212.11.9 host 213.1.244.11 eq isakmp

access-list acl-in permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240

the first 2 lines of the access-list define the tunnel enpoints, and the last line permits the tunnel user

traffic.

When I enter command 'show access-list acl-in' i see incrementing hit-count on the last line, but no hits on the first 2. Why is this ?

I've even entered command 'clear crypto isakmp sa', but the line still registers no hits.

I can see the tunnel being formed and packets encrypte/devrypted by analysing the crypto ipsec sa.

regards

Do I need the first 2 lines

6 Replies 6

shijogeorge
Level 1
Level 1

Hi,

Have you got the following command in the PIX config?

sysopt connection permit-ipsec

If yes, none of these lines are required in the access-list.

If not, all are required also.

HTH

Regards,

Shijo George.

Hi,

No, 'sysopt connection permit-ipsec' isn't configured.

Hence I find it strange that no hit-count on first 2 lines in access-list.

regards

the command "sysopt connection permit-ipsec" would only affect the remote subnet and local subnet traffic. regardless whether the command is enabled or disabled, pix will process the incoming vpn request, and that's why the inbound acl (first 2 lines) has never been hitted.

Hi,

I would still expect to see hit-counts, as every packet must be filtered before the tunnel endpoints can form the tunnel.

The setup in use is PIX-to-PIX.

I have other setups PIX-to-Router, whereby the Router has a similar access-list filtering inbound traffic. Here though I do see hits to the ESP and ISAKMP statements.

Is this another Cisco 'funny'. I'm using v6.3(4) on the PIX.

Regards

flopez
Level 1
Level 1

I would recommend a nat statement in the access-list so that you do not have the PIX do natting on the traffic that you are allowing into your network.

access-list no nat permit esp host 213.212.11.9 host 213.1.244.11

access-list nonat permit udp host 213.212.11.9 host 213.1.244.11 eq isakmp

access-list nonat permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240

I do have a nonat access-list appropriately configured.

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: