Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2960
Views
0
Helpful
2
Replies

Troubleshooting IPSEC VPN ACLs

Go to solution
xayavongp
Level 1
Level 1

‎11-13-2012 11:59 AM - edited ‎02-21-2020 06:28 PM

I'm confused about the ACL for ipsec traffic.  Phase 1 and Phase 2 are functioning properly [no errors].

I have separated the no nat ACL and interested traffic as recommended.

access-list outside_1_cryptomap

access-list inside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

crypto map outside_map 1 match address outside_1_cryptomap

I do a source ping to the other side (ip to ip ), and the #pkts decaps and (#pkts encaps:) increments as expected.

4 packets get decaps and 4 echo-reply gets encapsulated [I do not get a full path back to the source].

So my question is: why is my access-list hitcnt= not incrementing.  If the return traffic (eho-reply) makes it back to the crypto map to be encapsulated then I'm assuming the echo reply has been process by the ACL and I should see the ACL hitcnt go up. I'm not seeing neither one increment at all.

Am I interpreting this incorrectly?  

Thanks,

Pete

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-13-2012 10:15 PM

NAT 0 access list will not increment, as per the following:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533

(quoted from above URL:

Note Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists. )

Crypto ACL only will increment on the first packet when it tries to initiate the tunnel, any subsequent connection won't increment the hitcount.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238243

(quoted from above URL:

The access-list's hit counts only increase when  the tunnel initiates. Once the tunnel is up, the hit counts does not  increase on a per-packet flow).

Hope that answers your questions.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-13-2012 10:15 PM

NAT 0 access list will not increment, as per the following:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533

(quoted from above URL:

Note Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists. )

Crypto ACL only will increment on the first packet when it tries to initiate the tunnel, any subsequent connection won't increment the hitcount.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238243

(quoted from above URL:

The access-list's hit counts only increase when  the tunnel initiates. Once the tunnel is up, the hit counts does not  increase on a per-packet flow).

Hope that answers your questions.

0 Helpful

Go to solution
xayavongp
Level 1
Level 1
In response to Jennifer Halim

‎11-14-2012 07:03 AM

Thank you.  I suspected it needed to be initiated from that end but wasn't quite sure.

0 Helpful
Customers Also Viewed These Support Documents