https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790654#M1004924 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>If you do a "sh access-list" from enable mode you should see the hit count at the end of the line eg: </P><P></P><P>access-list from_prod1 line 1 permit tcp object-group prod_machines host 10.228.56.2 eq telnet</P><P>access-list from_prod1 line 1 permit tcp host 10.228.51.51 host 10.228.56.2 eq telnet (hitcnt=12)</P><P>access-list from_prod1 line 1 permit tcp host 10.230.24.77 host 10.228.56.2 eq telnet (hitcnt=0)</P><P>access-list from_prod1 line 1 permit tcp host 10.181.66.12 host 10.228.56.2 eq telnet (hitcnt=0)</P><P>access-list from_prod1 line 1 permit tcp host 10.228.50.95 host 10.228.56.2 eq telnet (hitcnt=0)</P><P>access-list from_prod1 line 2 permit tcp object-group prod_machines host 10.228.56.3 eq telnet</P><P></P><P>So only the first line in the above access-list has any hits. </P><P></P><P>You can reset the counters by using the </P><P></P><P>"clear access-list <ACCESS-LIST name=""> counters" </ACCESS-LIST></P><P></P><P>HTH</P><P></P><P>Jon</P><P></P></BODY></HTML> Thu, 10 May 2007 08:47:00 GMT Jon Marshall 2007-05-10T08:47:00Z https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790653#M1004923 <P>Hello all, </P><P>i have a lot of rule on my V7.0 PIX and i want to know if there is a way to find an used rules in order to reduce the number of rules or maybe to know last time rules have been used or matched ?</P><P></P><P>Thank you</P><P></P><P></P> Mon, 11 Mar 2019 10:11:46 GMT https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790653#M1004923 yann.boulet 2019-03-11T10:11:46Z https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790654#M1004924 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>If you do a "sh access-list" from enable mode you should see the hit count at the end of the line eg: </P><P></P><P>access-list from_prod1 line 1 permit tcp object-group prod_machines host 10.228.56.2 eq telnet</P><P>access-list from_prod1 line 1 permit tcp host 10.228.51.51 host 10.228.56.2 eq telnet (hitcnt=12)</P><P>access-list from_prod1 line 1 permit tcp host 10.230.24.77 host 10.228.56.2 eq telnet (hitcnt=0)</P><P>access-list from_prod1 line 1 permit tcp host 10.181.66.12 host 10.228.56.2 eq telnet (hitcnt=0)</P><P>access-list from_prod1 line 1 permit tcp host 10.228.50.95 host 10.228.56.2 eq telnet (hitcnt=0)</P><P>access-list from_prod1 line 2 permit tcp object-group prod_machines host 10.228.56.3 eq telnet</P><P></P><P>So only the first line in the above access-list has any hits. </P><P></P><P>You can reset the counters by using the </P><P></P><P>"clear access-list <ACCESS-LIST name=""> counters" </ACCESS-LIST></P><P></P><P>HTH</P><P></P><P>Jon</P><P></P></BODY></HTML> Thu, 10 May 2007 08:47:00 GMT https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790654#M1004924 Jon Marshall 2007-05-10T08:47:00Z https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790655#M1004925 <HTML><HEAD></HEAD><BODY><P>Thanks for your help, just another question, do you know if it's possible to transform names in the configuration to ip addresses, i don't remember how to do it it's just be sure of the ip addresses when i use "sh access-list"</P><P></P><P>thanks</P></BODY></HTML> Thu, 10 May 2007 10:33:52 GMT https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790655#M1004925 yann.boulet 2007-05-10T10:33:52Z https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790656#M1004926 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>If i understand correctly i'm not sure you can do this. You can do a "sh names" and then cross reference with the access-list but i don't know of a way to transpose the ip address instead of the name in a "sh access-list" </P><P></P><P>Hope i haven't misunderstood. </P><P></P><P>Jon</P></BODY></HTML> Thu, 10 May 2007 10:40:23 GMT https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790656#M1004926 Jon Marshall 2007-05-10T10:40:23Z https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790657#M1004927 <HTML><HEAD></HEAD><BODY><P>There should be an entry in your configureation</P><P></P><P>"names"</P><P></P><P>if you run the command</P><P></P><P>"no names"</P><P></P><P>then all address to name translations will be turned off. This will *not* remove the name entries so you can turn it back on again without a problem.</P><P></P><P>** Please rate posts if helpful **</P></BODY></HTML> Thu, 10 May 2007 11:17:00 GMT https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790657#M1004927 mark.j.hodge 2007-05-10T11:17:00Z https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790658#M1004928 <HTML><HEAD></HEAD><BODY><P>This might be more useful if you do a `sh access-list | i hitcnt=0'.</P><P></P><P>That way you can sort out the rules that haven't received any hits over a certain time fram.</P></BODY></HTML> Thu, 10 May 2007 13:45:49 GMT https://community.cisco.com/t5/network-security/manage-pix-acls/m-p/790658#M1004928 laurent.geyer 2007-05-10T13:45:49Z