PIX 722 access-list hits is not incrementing

jong_r0602 · ‎05-28-2008

Hi Guru's,

It so strange because if just noticed that the hits on my access-list is not incrementing. Appreciate if someone could enlighten me on this. Im not sure if this is a bug or i did a mistake during my upgrade process.

Thanks,

Jong

husycisco · ‎05-28-2008

Hi Jong,

Please paste your ACL with its ACEs in its respective order and let us check. You may have an ACE at the beginning that already permits/denies the traffic that are supposed to be permitted/denied in your specific ACE

If none of them increments, either it is not set for an interface with access-group "aclname" in interface "ifname" or your network statements are incomplete

Regards

jong_r0602 · ‎05-28-2008

Hers my ACL. As you can see, there already a hits count,but after the os upgrade the hits seems to be not incrementing.

access-list vpn1; 9 elements

access-list vpn1 line 1 extended permit ip 192.168.200.0 255.255.255.0 1

0.0.0.0 255.255.252.0 (hitcnt=1419) 0xfbacb239

access-list vpn1 line 2 extended permit ip 192.168.0.0 255.255.255.0 1

0.0.0.0 255.255.252.0 (hitcnt=18712) 0x6f76ac86

access-list vpn1 line 3 extended permit ip 192.168.202.0 255.255.254.0 1

0.0.0.0 255.255.252.0 (hitcnt=3412) 0x907d7deb

access-list vpn1 line 4 extended permit ip 192.168.214.0 255.255.255.0 1

0.0.0.0 255.255.252.0 (hitcnt=542) 0x65497b0a

access-list vpn1 line 5 extended permit ip 192.168.217.0 255.255.255.0 1

0.0.0.0 255.255.252.0 (hitcnt=461) 0xc8b559b6

access-list vpn1 line 6 extended permit ip 192.168.208.0 255.255.252.0 1

0.0.0.0 255.255.252.0 (hitcnt=72) 0xf411b42d

access-list vpn1 line 7 extended permit ip host HT1-CovadNATIP 10.0.0.0

255.255.252.0 (hitcnt=193) 0x6bfe97fd

access-list vpn1 line 8 extended

permit ip host HT1-BlockBusterNATIP 10.

0.0.0 255.255.252.0 (hitcnt=0) 0xc45d7dac

access-list vpn1 line 9 extended permit ip host Internet_NATIP_Brother 1

0.0.0.0 255.255.252.0 (hitcnt=28) 0x8f586982

husycisco · ‎05-29-2008

Jong,

I have to see your config to find out where this vpn1 acl is used and what names like HT1-BlockbusterNATIP refers to.

Or if you like to handle it on your own, you can use packet-tracer command and see which nat rules acls and routes does packet travel.

Regards

jong_r0602 · ‎06-03-2008

Hello,

Sorry for the late response. see my config attached file. Please have check.

Thanks,

Jong

husycisco · ‎06-04-2008

Jong,

Here is the ACE that doesnt increment

access-list indiaencrypt line 8 extended

permit ip host HT1-BlockBusterNATIP 10.

0.0.0 255.255.252.0 (hitcnt=0) 0xc45d7dac

HT1-BlockBusterNATIP is the global entry of the NAT for 192.168.212.0. First of all, you have to make sure that a host in 192.168.212.0 is trying to reach 10.0.0.0 network.

But here is an inconsistency. The NAT statement 212 has the HT1-BlockBusterNATIP in internet interface, but no static route exists for 10.0.0.0/22, and if firewall is learning a default route via OSPF from a neighbour which is not in internet interface, that would prevent 212 translation to occur. A route statement like following may resolve the issue.

But first, please run the following command and save its output to a txt file

packet-tracer input inside tcp 3389 192.168.212.5 5555 10.0.1.1 detailed

Now add the following route

route internet 10.0.0.0 255.255.252.0 202.162.161.8

Then again run the packet tracer command. Then attach the file that has packet-tracer outputs for me to analyze.

Regards