11-13-2012 11:59 AM - edited 02-21-2020 06:28 PM
I'm confused about the ACL for ipsec traffic. Phase 1 and Phase 2 are functioning properly [no errors].
I have separated the no nat ACL and interested traffic as recommended.
access-list outside_1_cryptomap
access-list inside_nat0_outbound
nat (inside) 0 access-list inside_nat0_outbound
crypto map outside_map 1 match address outside_1_cryptomap
I do a source ping to the other side (ip to ip ), and the #pkts decaps and (#pkts encaps:) increments as expected.
4 packets get decaps and 4 echo-reply gets encapsulated [I do not get a full path back to the source].
So my question is: why is my access-list hitcnt= not incrementing. If the return traffic (eho-reply) makes it back to the crypto map to be encapsulated then I'm assuming the echo reply has been process by the ACL and I should see the ACL hitcnt go up. I'm not seeing neither one increment at all.
Am I interpreting this incorrectly?
Thanks,
Pete
Solved! Go to Solution.
11-13-2012 10:15 PM
NAT 0 access list will not increment, as per the following:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533
(quoted from above URL:
Note Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists. )
Crypto ACL only will increment on the first packet when it tries to initiate the tunnel, any subsequent connection won't increment the hitcount.
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238243
(quoted from above URL:
The access-list's hit counts only increase when the tunnel initiates. Once the tunnel is up, the hit counts does not increase on a per-packet flow).
Hope that answers your questions.
11-13-2012 10:15 PM
NAT 0 access list will not increment, as per the following:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533
(quoted from above URL:
Note Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists. )
Crypto ACL only will increment on the first packet when it tries to initiate the tunnel, any subsequent connection won't increment the hitcount.
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2238243
(quoted from above URL:
The access-list's hit counts only increase when the tunnel initiates. Once the tunnel is up, the hit counts does not increase on a per-packet flow).
Hope that answers your questions.
11-14-2012 07:03 AM
Thank you. I suspected it needed to be initiated from that end but wasn't quite sure.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide