Two ACL's hit counts getting summed and logged againts only one
The router is a 3620 IOS 12.0(24), with an ethernet and a serial interface. Each interface has a pair of inbound and outbound ACLs, which are exact reciprocals of each other. A single test packet that matches any entry (either permit or deny) should generate a single hit on the outbound ACL and a single hit on the inbound ACL. What actually happens is that the inbound ACL gets 2 hits on the matching item, and the outbound ACL's item gets none.
Re: Two ACL's hit counts getting summed and logged againts only
Thanks for your reply, however I don't think that is the problem I am having. Maybe an example might help to explain things. The following is a simplistic, and possible sytactically incorrect, example which should help to illustrate my problem.
- two networks 10.1.0.0/24 and 10.1.1.0/24
- two hosts, one on each network (x.x.x.100)
- a dual ethernet router between the networks
- short form of router config:
ip address 10.1.0.1 255.255.255.0
ip access-group inboundfilter in
ip access-group outboundfilter out
ip address 10.1.1.1 255.255.255.0
ip access-list extended inboundfilter
permit icmp host 10.1.0.100 host 10.1.1.100
ip access-list extended outboundfilter
permit icmp host 10.1.1.100 host 10.1.0.100
- Now the 10.1.0.100 host sends 1 ping to the 10.1.1.100 host who replys
In my real world situation, the setup is a little more complicated. The router actually NATs the source address of traffic at both interfaces, and there are inbound and outbound ACLs on both the interfaces. I don't think that the second set of ACLs (which match the first set) are causing the problem, but I cannot rule out the NATing causing this effect.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :