09-07-2011 06:09 AM
Hi Everyone,I have a question.
I have ASA1 and ASA2 connected over a private IP cloud and two hosts behind each of the ASAs.
The tunnel is up and I can ping from host1 which is behind ASA1 host2 which is behind ASA2 over the VPN tunnel.
When I do show crypto ipsec sa on ASA2 I see
#pkts encaps: 451, #pkts encrypt: 451, #pkts digest: 451
#pkts decaps: 451, #pkts decrypt: 451, #pkts verify: 451
and they are increasing, with every ping I send from host1 to host2. But when I do sh access-list cryptointeresting which defines my crypto interesting traffic on ASA2 I don't see increasing hits with every ping I send from host1 which is behind ASA1.
The question is if I am supposed to see crtyptointeresting access-list hits increasing on ASA2, when I ping host2(behind ASA2) from host1 which is behind ASA1 on the other end.
Thanks
Solved! Go to Solution.
09-07-2011 08:32 AM
Hi my friend.
When you ping from ASA1 to ASA2 you will not see hitcounts on the ACL from ASA2. That happens because for the hitcount number to increase the traffic must match the direction defined on the ACL.
Basically when you ping from ASA1 to ASA2 the traffic doesnt match the direction of the crypto ACL on ASA 2 (which is defined from ASA2 LAN to ASA1 LAN) therefore it doesnt count as a hit.
You do see packets decrypted and decapsualated because the traffic matched the conditions previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent thru the tunnel.
I hope this clarifies your questions.
BTW sorry I didnt get back to you on your second NAT post, I see that Varun gave you a great answer .
Have fun!
Raga
09-07-2011 08:32 AM
Hi my friend.
When you ping from ASA1 to ASA2 you will not see hitcounts on the ACL from ASA2. That happens because for the hitcount number to increase the traffic must match the direction defined on the ACL.
Basically when you ping from ASA1 to ASA2 the traffic doesnt match the direction of the crypto ACL on ASA 2 (which is defined from ASA2 LAN to ASA1 LAN) therefore it doesnt count as a hit.
You do see packets decrypted and decapsualated because the traffic matched the conditions previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent thru the tunnel.
I hope this clarifies your questions.
BTW sorry I didnt get back to you on your second NAT post, I see that Varun gave you a great answer .
Have fun!
Raga
09-08-2011 07:30 PM
Thank you for this explanation.
Much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide