Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
558
Views
0
Helpful
2
Replies

L2L VPN Access-list crypto-interesting

Go to solution
elnurmirba
Level 1
Level 1

‎09-07-2011 06:09 AM

Hi Everyone,I have a question.

I have ASA1 and ASA2 connected over a private IP cloud and two hosts behind each of the ASAs.

The tunnel is up and I can ping from host1 which is behind ASA1 host2 which is behind ASA2 over the VPN tunnel.

When I do show crypto ipsec sa on ASA2 I see

#pkts encaps: 451, #pkts encrypt: 451, #pkts digest: 451

      #pkts decaps: 451, #pkts decrypt: 451, #pkts verify: 451

and they are increasing, with every ping I send from host1 to host2. But when I do sh access-list cryptointeresting which defines my crypto interesting traffic on ASA2 I don't see increasing hits with every ping I send from host1 which is behind ASA1.

The question is if I am supposed to see crtyptointeresting access-list hits increasing on ASA2, when I ping host2(behind ASA2) from host1 which is behind ASA1 on the other end.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
raga.fusionet
Level 4
Level 4

‎09-07-2011 08:32 AM

Hi my friend.

When you ping from ASA1 to ASA2 you will not see hitcounts on the ACL from ASA2. That happens because for the hitcount number to increase the traffic must match the direction defined on the ACL.

Basically when you ping from ASA1 to ASA2 the traffic doesnt match the direction of the crypto ACL on ASA 2 (which is defined from ASA2 LAN to ASA1 LAN) therefore it doesnt count as a hit.

You do see packets decrypted and decapsualated because the traffic matched the conditions previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent thru the tunnel.

I hope this clarifies your questions.

BTW sorry I didnt get back to you on your second NAT post, I see that Varun gave you a great answer .

Have fun!

Raga

View solution in original post

0 Helpful
2 Replies 2

Go to solution
raga.fusionet
Level 4
Level 4

‎09-07-2011 08:32 AM

Hi my friend.

When you ping from ASA1 to ASA2 you will not see hitcounts on the ACL from ASA2. That happens because for the hitcount number to increase the traffic must match the direction defined on the ACL.

Basically when you ping from ASA1 to ASA2 the traffic doesnt match the direction of the crypto ACL on ASA 2 (which is defined from ASA2 LAN to ASA1 LAN) therefore it doesnt count as a hit.

You do see packets decrypted and decapsualated because the traffic matched the conditions previously negotiated for the VPN Tunnel, then the traffic gets encryped and sent thru the tunnel.

I hope this clarifies your questions.

BTW sorry I didnt get back to you on your second NAT post, I see that Varun gave you a great answer .

Have fun!

Raga

0 Helpful

Go to solution
elnurmirba
Level 1
Level 1
In response to raga.fusionet

‎09-08-2011 07:30 PM

Thank you for this explanation.

Much appreciated.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents