L2L VPN Interesting traffic access-list

victor_87 · ‎02-01-2009

i have set up a test Site to Site VPN between two locations through CISCO ASA.

I am using an extended access-list to specify the intersting traffic.

Say the access-list is

permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.255.0

The tunnel works well when i try to reach the 192.168.0.0 network but, what i have observed is there is no "hit" seen on this particular access-list.

The tunnel definitely is working based on this access-list but, i don't see the HITCOUNT field of the access-list updated.

Could someone through some light on this?

eddie.mitchell · ‎02-06-2009

When you are viewing the access-list are you doing so via a 'show run/show conf' or are you doing a 'show access-list '?

victor_87 · ‎02-06-2009

Oh yeah definitely using sh access-lists. Im not a rookie.

When i set a VPN on a PIX 6.3 i do get the hits, but i am getting no hits on the ASA.

eddie.mitchell · ‎02-07-2009

What software version are you running? I've got an ASA running 7.2(2) and I'm getting the hitcounts on my crypto ACL's.

victor_87 · ‎02-08-2009

I am definitely getting hits on my PIX 6.3 but nothing shows up on my ASA 7.2. I am getting a few hits on the crypto ACL when the tunnel is still in the formation stage. Nothing changes after the tunnel has fully formed.