09-08-2017
10:20 AM
- last edited on
03-25-2019
04:45 PM
by
ciscomoderator
I have 2 ASA's that I set up which I cant ping to the lan gateways (10.10.10.1 & 10.20.10.1) from either ASA. Both ASA's are directly connected & I setup extended access lists/groups to permit any ip inbound for the inside and the outside interfaces. When I do a show access list I see the hitcounts acrue on the ASA that I am pinging to (pinging to lan gateway of the ASA from the other ASA) The hitcounts on the outside acl grow by 5 everytime I ping but im not sure if thats because that acl is blocking the pings or is simply seeing them. I assume hits on a hit count on an acl that is permitting ip any any is simply showing that traffic that matches that allow rule is being seen by the acl. In short do hit counts on a given acl specifically mean that the acl is blocking the traffic specified by that acl? Here is a config for both ASA's & the acl hit.
access-list Primary_In line 1 extended permit ip any any(hitcnt=5)
Mario-Guitars-2#sh run
: Saved
:
ASA Version 8.4(2)
!
hostname Mario-Guitars-2
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 50.0.0.5 255.255.255.248
!
object network net-local
subnet 10.10.10.0 255.255.255.0
object network net-remote
subnet 10.20.10.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 50.0.0.6 1
!
access-list outside_1_cryptomap extended permit ip object net-local object net-remote
access-list Primary_In extended permit ip any any
!
!
access-group Primary_In in interface outside
access-group lan_in in interface inside
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
!
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 50.0.0.6
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
encr 3des
authentication pre-share
group 2
!
tunnel-group 50.0.0.6 type ipsec-l2l
tunnel-group 50.0.0.6 ipsec-attributes
ikev1 pre-shared-key g0disg00d
!
Mario-Guitars-2#
____________________________________________________________________________
ciscoasa#sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.20.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 50.0.0.6 255.255.255.248
!
object network net-local
subnet 10.20.10.0 255.255.255.0
object network net-remote
subnet 10.10.10.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 50.0.0.5 1
!
access-list outside_1_cryptomap extended permit ip object net-local object net-remote
access-list Primary_In extended permit ip any any
!
!
access-group Primary_In in interface outside
access-group lan_in in interface inside
!
!
!
!
!
!
!
telnet timeout 5
ssh timeout 5
!
!
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 50.0.0.5
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
encr 3des
authentication pre-share
group 2
!
tunnel-group 50.0.0.5 type ipsec-l2l
tunnel-group 50.0.0.5 ipsec-attributes
ikev1 pre-shared-key g0disg00d
!
ciscoasa#
09-08-2017 08:55 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide