cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2227
Views
0
Helpful
1
Replies

show access-list hitcounts ???

WildMan365
Level 1
Level 1

I have 2 ASA's that I set up which I cant ping to the lan gateways (10.10.10.1 & 10.20.10.1) from either ASA. Both ASA's are directly connected & I setup extended access lists/groups to permit any ip inbound for the inside and the outside  interfaces. When I do a show access list I see the hitcounts acrue on the ASA that I am pinging to (pinging to lan gateway of the ASA from the other ASA) The hitcounts on the outside acl grow by 5 everytime I ping but im not sure if thats because that acl is blocking the pings or is simply seeing them. I assume hits on a hit count on an acl that is permitting ip any any is simply showing that traffic that matches that allow rule is being seen by the acl. In short do hit counts on a given acl specifically mean that the acl is blocking the traffic specified by that acl? Here is a config for both ASA's & the acl hit.

 

access-list Primary_In line 1 extended permit ip any any(hitcnt=5)

 

Mario-Guitars-2#sh run

: Saved

:

ASA Version 8.4(2)

!

hostname Mario-Guitars-2

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 50.0.0.5 255.255.255.248

!

object network net-local

subnet 10.10.10.0 255.255.255.0

object network net-remote

subnet 10.20.10.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 50.0.0.6 1

!

access-list outside_1_cryptomap extended permit ip object net-local object net-remote

access-list Primary_In extended permit ip any any

!

!

access-group Primary_In in interface outside

access-group lan_in in interface inside

!

!

!

!

!

!

!

telnet timeout 5

ssh timeout 5

!

!

!

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 50.0.0.6

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr 3des

authentication pre-share

group 2

!

tunnel-group 50.0.0.6 type ipsec-l2l

tunnel-group 50.0.0.6 ipsec-attributes

ikev1 pre-shared-key g0disg00d

!

Mario-Guitars-2#

 

____________________________________________________________________________

 

ciscoasa#sh run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.20.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 50.0.0.6 255.255.255.248

!

object network net-local

subnet 10.20.10.0 255.255.255.0

object network net-remote

subnet 10.10.10.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 50.0.0.5 1

!

access-list outside_1_cryptomap extended permit ip object net-local object net-remote

access-list Primary_In extended permit ip any any

!

!

access-group Primary_In in interface outside

access-group lan_in in interface inside

!

!

!

!

!

!

!

telnet timeout 5

ssh timeout 5

!

!

!

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 50.0.0.5

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr 3des

authentication pre-share

group 2

!

tunnel-group 50.0.0.5 type ipsec-l2l

tunnel-group 50.0.0.5 ipsec-attributes

ikev1 pre-shared-key g0disg00d

!

ciscoasa#

 

1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni
Hi

As your acl is permit IP any any, you see hitcounts when traffic passes through that rule. This means that, in your particular case, you'll see hitcounts when traffic is allowed.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question