Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

inbound access-list: no hit count

I have VPN tunnel setup between my PIX and a client. I have an access-list applied to my outside port to filter incoming traffic:

access-list acl-in permit esp host 213.212.11.9 host 213.1.244.11

access-list acl-in permit udp host 213.212.11.9 host 213.1.244.11 eq isakmp

access-list acl-in permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240

the first 2 lines of the access-list define the tunnel enpoints, and the last line permits the tunnel user

traffic.

When I enter command 'show access-list acl-in' i see incrementing hit-count on the last line, but no hits on the first 2. Why is this ?

I've even entered command 'clear crypto isakmp sa', but the line still registers no hits.

I can see the tunnel being formed and packets encrypte/devrypted by analysing the crypto ipsec sa.

regards

Do I need the first 2 lines

6 REPLIES
Bronze

Re: inbound access-list: no hit count

Hi,

Have you got the following command in the PIX config?

sysopt connection permit-ipsec

If yes, none of these lines are required in the access-list.

If not, all are required also.

HTH

Regards,

Shijo George.

New Member

Re: inbound access-list: no hit count

Hi,

No, 'sysopt connection permit-ipsec' isn't configured.

Hence I find it strange that no hit-count on first 2 lines in access-list.

regards

Gold

Re: inbound access-list: no hit count

the command "sysopt connection permit-ipsec" would only affect the remote subnet and local subnet traffic. regardless whether the command is enabled or disabled, pix will process the incoming vpn request, and that's why the inbound acl (first 2 lines) has never been hitted.

New Member

Re: inbound access-list: no hit count

Hi,

I would still expect to see hit-counts, as every packet must be filtered before the tunnel endpoints can form the tunnel.

The setup in use is PIX-to-PIX.

I have other setups PIX-to-Router, whereby the Router has a similar access-list filtering inbound traffic. Here though I do see hits to the ESP and ISAKMP statements.

Is this another Cisco 'funny'. I'm using v6.3(4) on the PIX.

Regards

New Member

Re: inbound access-list: no hit count

I would recommend a nat statement in the access-list so that you do not have the PIX do natting on the traffic that you are allowing into your network.

access-list no nat permit esp host 213.212.11.9 host 213.1.244.11

access-list nonat permit udp host 213.212.11.9 host 213.1.244.11 eq isakmp

access-list nonat permit ip 10.20.1.0 255.255.255.240 10.55.1.0 255.255.255.240

New Member

Re: inbound access-list: no hit count

I do have a nonat access-list appropriately configured.

thanks

644
Views
0
Helpful
6
Replies