05-28-2008 12:20 AM - edited 03-11-2019 05:50 AM
Hi Guru's,
It so strange because if just noticed that the hits on my access-list is not incrementing. Appreciate if someone could enlighten me on this. Im not sure if this is a bug or i did a mistake during my upgrade process.
Thanks,
Jong
05-28-2008 02:15 AM
Hi Jong,
Please paste your ACL with its ACEs in its respective order and let us check. You may have an ACE at the beginning that already permits/denies the traffic that are supposed to be permitted/denied in your specific ACE
If none of them increments, either it is not set for an interface with access-group "aclname" in interface "ifname" or your network statements are incomplete
Regards
05-28-2008 08:30 PM
Hers my ACL. As you can see, there already a hits count,but after the os upgrade the hits seems to be not incrementing.
access-list vpn1; 9 elements
access-list vpn1 line 1 extended permit ip 192.168.200.0 255.255.255.0 1
0.0.0.0 255.255.252.0 (hitcnt=1419) 0xfbacb239
access-list vpn1 line 2 extended permit ip 192.168.0.0 255.255.255.0 1
0.0.0.0 255.255.252.0 (hitcnt=18712) 0x6f76ac86
access-list vpn1 line 3 extended permit ip 192.168.202.0 255.255.254.0 1
0.0.0.0 255.255.252.0 (hitcnt=3412) 0x907d7deb
access-list vpn1 line 4 extended permit ip 192.168.214.0 255.255.255.0 1
0.0.0.0 255.255.252.0 (hitcnt=542) 0x65497b0a
access-list vpn1 line 5 extended permit ip 192.168.217.0 255.255.255.0 1
0.0.0.0 255.255.252.0 (hitcnt=461) 0xc8b559b6
access-list vpn1 line 6 extended permit ip 192.168.208.0 255.255.252.0 1
0.0.0.0 255.255.252.0 (hitcnt=72) 0xf411b42d
access-list vpn1 line 7 extended permit ip host HT1-CovadNATIP 10.0.0.0
255.255.252.0 (hitcnt=193) 0x6bfe97fd
access-list vpn1 line 8 extended
permit ip host HT1-BlockBusterNATIP 10.
0.0.0 255.255.252.0 (hitcnt=0) 0xc45d7dac
access-list vpn1 line 9 extended permit ip host Internet_NATIP_Brother 1
0.0.0.0 255.255.252.0 (hitcnt=28) 0x8f586982
05-29-2008 02:03 AM
Jong,
I have to see your config to find out where this vpn1 acl is used and what names like HT1-BlockbusterNATIP refers to.
Or if you like to handle it on your own, you can use packet-tracer command and see which nat rules acls and routes does packet travel.
Regards
06-03-2008 10:06 PM
Hello,
Sorry for the late response. see my config attached file. Please have check.
Thanks,
Jong
06-04-2008 01:43 AM
Jong,
Here is the ACE that doesnt increment
access-list indiaencrypt line 8 extended
permit ip host HT1-BlockBusterNATIP 10.
0.0.0 255.255.252.0 (hitcnt=0) 0xc45d7dac
HT1-BlockBusterNATIP is the global entry of the NAT for 192.168.212.0. First of all, you have to make sure that a host in 192.168.212.0 is trying to reach 10.0.0.0 network.
But here is an inconsistency. The NAT statement 212 has the HT1-BlockBusterNATIP in internet interface, but no static route exists for 10.0.0.0/22, and if firewall is learning a default route via OSPF from a neighbour which is not in internet interface, that would prevent 212 translation to occur. A route statement like following may resolve the issue.
But first, please run the following command and save its output to a txt file
packet-tracer input inside tcp 3389 192.168.212.5 5555 10.0.1.1 detailed
Now add the following route
route internet 10.0.0.0 255.255.252.0 202.162.161.8
Then again run the packet tracer command. Then attach the file that has packet-tracer outputs for me to analyze.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide