Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

PIX 722 access-list hits is not incrementing

Hi Guru's,

It so strange because if just noticed that the hits on my access-list is not incrementing. Appreciate if someone could enlighten me on this. Im not sure if this is a bug or i did a mistake during my upgrade process.

Thanks,

Jong

5 REPLIES

Re: PIX 722 access-list hits is not incrementing

Hi Jong,

Please paste your ACL with its ACEs in its respective order and let us check. You may have an ACE at the beginning that already permits/denies the traffic that are supposed to be permitted/denied in your specific ACE

If none of them increments, either it is not set for an interface with access-group "aclname" in interface "ifname" or your network statements are incomplete

Regards

New Member

Re: PIX 722 access-list hits is not incrementing

Hers my ACL. As you can see, there already a hits count,but after the os upgrade the hits seems to be not incrementing.

access-list vpn1; 9 elements

access-list vpn1 line 1 extended permit ip 192.168.200.0 255.255.255.0 1

0.0.0.0 255.255.252.0 (hitcnt=1419) 0xfbacb239

access-list vpn1 line 2 extended permit ip 192.168.0.0 255.255.255.0 1

0.0.0.0 255.255.252.0 (hitcnt=18712) 0x6f76ac86

access-list vpn1 line 3 extended permit ip 192.168.202.0 255.255.254.0 1

0.0.0.0 255.255.252.0 (hitcnt=3412) 0x907d7deb

access-list vpn1 line 4 extended permit ip 192.168.214.0 255.255.255.0 1

0.0.0.0 255.255.252.0 (hitcnt=542) 0x65497b0a

access-list vpn1 line 5 extended permit ip 192.168.217.0 255.255.255.0 1

0.0.0.0 255.255.252.0 (hitcnt=461) 0xc8b559b6

access-list vpn1 line 6 extended permit ip 192.168.208.0 255.255.252.0 1

0.0.0.0 255.255.252.0 (hitcnt=72) 0xf411b42d

access-list vpn1 line 7 extended permit ip host HT1-CovadNATIP 10.0.0.0

255.255.252.0 (hitcnt=193) 0x6bfe97fd

access-list vpn1 line 8 extended

permit ip host HT1-BlockBusterNATIP 10.

0.0.0 255.255.252.0 (hitcnt=0) 0xc45d7dac

access-list vpn1 line 9 extended permit ip host Internet_NATIP_Brother 1

0.0.0.0 255.255.252.0 (hitcnt=28) 0x8f586982

Re: PIX 722 access-list hits is not incrementing

Jong,

I have to see your config to find out where this vpn1 acl is used and what names like HT1-BlockbusterNATIP refers to.

Or if you like to handle it on your own, you can use packet-tracer command and see which nat rules acls and routes does packet travel.

Regards

New Member

Re: PIX 722 access-list hits is not incrementing

Hello,

 

Sorry for the late response. see my config attached file. Please have check.

 

Thanks,

Jong

 

 

 

Re: PIX 722 access-list hits is not incrementing

Jong,

Here is the ACE that doesnt increment

access-list indiaencrypt line 8 extended

permit ip host HT1-BlockBusterNATIP 10.

0.0.0 255.255.252.0 (hitcnt=0) 0xc45d7dac

HT1-BlockBusterNATIP is the global entry of the NAT for 192.168.212.0. First of all, you have to make sure that a host in 192.168.212.0 is trying to reach 10.0.0.0 network.

But here is an inconsistency. The NAT statement 212 has the HT1-BlockBusterNATIP in internet interface, but no static route exists for 10.0.0.0/22, and if firewall is learning a default route via OSPF from a neighbour which is not in internet interface, that would prevent 212 translation to occur. A route statement like following may resolve the issue.

But first, please run the following command and save its output to a txt file

packet-tracer input inside tcp 3389 192.168.212.5 5555 10.0.1.1 detailed

Now add the following route

route internet 10.0.0.0 255.255.252.0 202.162.161.8

Then again run the packet tracer command. Then attach the file that has packet-tracer outputs for me to analyze.

Regards

190
Views
4
Helpful
5
Replies
CreatePlease to create content