10-21-2005 05:44 AM - edited 02-20-2020 09:28 PM
I have VPN tunnel setup between my PIX and a client. I have an access-list applied to my outside port to filter incoming traffic:
access-list acl-in permit esp host 213.212.11.9 host 213.1.244.11
access-list acl-in permit udp host 213.212.11.9 host 213.1.244.11 eq isakmp
access-list acl-in permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240
the first 2 lines of the access-list define the tunnel enpoints, and the last line permits the tunnel user
traffic.
When I enter command 'show access-list acl-in' i see incrementing hit-count on the last line, but no hits on the first 2. Why is this ?
I've even entered command 'clear crypto isakmp sa', but the line still registers no hits.
I can see the tunnel being formed and packets encrypte/devrypted by analysing the crypto ipsec sa.
regards
Do I need the first 2 lines
10-21-2005 05:56 AM
Hi,
Have you got the following command in the PIX config?
sysopt connection permit-ipsec
If yes, none of these lines are required in the access-list.
If not, all are required also.
HTH
Regards,
Shijo George.
10-21-2005 08:17 AM
Hi,
No, 'sysopt connection permit-ipsec' isn't configured.
Hence I find it strange that no hit-count on first 2 lines in access-list.
regards
10-22-2005 01:33 AM
the command "sysopt connection permit-ipsec" would only affect the remote subnet and local subnet traffic. regardless whether the command is enabled or disabled, pix will process the incoming vpn request, and that's why the inbound acl (first 2 lines) has never been hitted.
10-24-2005 12:42 AM
Hi,
I would still expect to see hit-counts, as every packet must be filtered before the tunnel endpoints can form the tunnel.
The setup in use is PIX-to-PIX.
I have other setups PIX-to-Router, whereby the Router has a similar access-list filtering inbound traffic. Here though I do see hits to the ESP and ISAKMP statements.
Is this another Cisco 'funny'. I'm using v6.3(4) on the PIX.
Regards
10-26-2005 01:33 PM
I would recommend a nat statement in the access-list so that you do not have the PIX do natting on the traffic that you are allowing into your network.
access-list no nat permit esp host 213.212.11.9 host 213.1.244.11
access-list nonat permit udp host 213.212.11.9 host 213.1.244.11 eq isakmp
access-list nonat permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240
10-27-2005 12:11 AM
I do have a nonat access-list appropriately configured.
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: