cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
839
Views
0
Helpful
6
Replies
Highlighted
Beginner

inbound access-list: no hit count

I have VPN tunnel setup between my PIX and a client. I have an access-list applied to my outside port to filter incoming traffic:

access-list acl-in permit esp host 213.212.11.9 host 213.1.244.11

access-list acl-in permit udp host 213.212.11.9 host 213.1.244.11 eq isakmp

access-list acl-in permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240

the first 2 lines of the access-list define the tunnel enpoints, and the last line permits the tunnel user

traffic.

When I enter command 'show access-list acl-in' i see incrementing hit-count on the last line, but no hits on the first 2. Why is this ?

I've even entered command 'clear crypto isakmp sa', but the line still registers no hits.

I can see the tunnel being formed and packets encrypte/devrypted by analysing the crypto ipsec sa.

regards

Do I need the first 2 lines

6 REPLIES 6
Highlighted
Beginner

Hi,

Have you got the following command in the PIX config?

sysopt connection permit-ipsec

If yes, none of these lines are required in the access-list.

If not, all are required also.

HTH

Regards,

Shijo George.

Highlighted

Hi,

No, 'sysopt connection permit-ipsec' isn't configured.

Hence I find it strange that no hit-count on first 2 lines in access-list.

regards

Highlighted

the command "sysopt connection permit-ipsec" would only affect the remote subnet and local subnet traffic. regardless whether the command is enabled or disabled, pix will process the incoming vpn request, and that's why the inbound acl (first 2 lines) has never been hitted.

Highlighted

Hi,

I would still expect to see hit-counts, as every packet must be filtered before the tunnel endpoints can form the tunnel.

The setup in use is PIX-to-PIX.

I have other setups PIX-to-Router, whereby the Router has a similar access-list filtering inbound traffic. Here though I do see hits to the ESP and ISAKMP statements.

Is this another Cisco 'funny'. I'm using v6.3(4) on the PIX.

Regards

Highlighted
Beginner

I would recommend a nat statement in the access-list so that you do not have the PIX do natting on the traffic that you are allowing into your network.

access-list no nat permit esp host 213.212.11.9 host 213.1.244.11

access-list nonat permit udp host 213.212.11.9 host 213.1.244.11 eq isakmp

access-list nonat permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240

Highlighted

I do have a nonat access-list appropriately configured.

thanks

Content for Community-Ad