How to View ACCESS LIST in ASA with counter 0 via CLI & disable

Harwin M Valero L — Mon, 30 Oct 2023 15:11:57 GMT

Good afternoon,

I currently have a farm of ASA Firewalls (20 Device), and I need to perform the following tasks via CLI:

1st Be able to list all access lists with a counter of 0 that are not being used.

2nd From that filtered list with all those access lists created with that COUNTER 0 argument and via CLI through a Script or command routine, disable them mainly to eliminate them after a while.

It is possible that someone knows a routine that could make this job easier for me.

NOTE: Use the command show access-list | I access.*hitcnt=0 but this command does not generalize the access lists and in exchange it gives me a granular list for each hit 0 it finds.

I thank you through your experience for any recommendations to be able to do this task.

Thank you.

Harwin M Valero

Re: How to View ACCESS LIST in ASA with counter 0 via CLI & disabl

Harwin M Valero L — Mon, 30 Sep 2024 16:16:19 GMT

To achieve your objectives, I recommend the following approach based on your requirements:

1. **List all access lists with a hit counter of 0**:
While the command `show access-list | include access.*hitcnt=0` gives you a granular output, it's not ideal for your use case because it doesn't group or generalize access lists efficiently. Instead, you can create a script to parse the output and extract only the ACL names with hit counts of 0, filtering out the individual hits.

2. **Disable access lists with hit count 0**:
After listing the ACLs with hitcnt=0, you want to disable them. This can be done by removing the relevant ACL entries or rules. I'll provide a basic workflow that you can adapt into a script.

### Step-by-Step Solution:

#### 1. **Generate the list of ACLs with hit count 0**:
Use a slightly modified command to capture all access lists that have a hit count of 0, and then parse the output to group them together by ACL name.

Command:
```bash
show access-list | include ^access-list|hitcnt=0
```

This command will show all ACL entries and their hit counts, but you'll need a script to filter and group them by ACL name.

#### 2. **Parse the output and filter ACLs**:
You can write a script in Python (or Bash, if preferred) that reads the output, identifies all access lists where every rule has a hitcnt=0, and then stores those ACL names.

Here’s an example in Python:
```python
import re

# Sample output from "show access-list"
output = """
access-list OUTSIDE_ACL; 1 elements; name hash: 0x123456
access-list OUTSIDE_ACL line 1 extended permit ip any any (hitcnt=0)
access-list INSIDE_ACL; 1 elements; name hash: 0xabcdef
access-list INSIDE_ACL line 1 extended deny tcp any any (hitcnt=5)
"""

acl_hitcnt_zero = set()
current_acl = None

for line in output.splitlines():
acl_match = re.match(r"access-list (\S+);", line)
hitcnt_match = re.search(r"hitcnt=(\d+)", line)

if acl_match:
current_acl = acl_match.group(1)
acl_hitcnt_zero.add(current_acl)

if hitcnt_match and current_acl:
if int(hitcnt_match.group(1)) != 0:
acl_hitcnt_zero.discard(current_acl)

print("ACLs with all hitcnt=0:", acl_hitcnt_zero)
```

The result will be a list of ACLs that have no traffic matched (hit count = 0).

#### 3. **Disable access lists with hitcnt=0**:
Once you've identified the access lists to be disabled, you can use the `no access-list` command to disable or remove them from the configuration.

Example command to disable an ACL:
```bash
no access-list ACL_NAME
```

You can either manually run this command for each ACL in your filtered list or include it in a script to automate the process.

Example in Python (using a list of ACLs to disable):
```python
acls_to_disable = ['OUTSIDE_ACL', 'ANOTHER_ACL']

for acl in acls_to_disable:
print(f"no access-list {acl}")
```

#### 4. **Automating the script execution**:
If you’re using a management platform (e.g., Ansible, Python with paramiko, or similar), you can automate the entire process of connecting to each ASA device, running the script to filter ACLs with hitcnt=0, and disabling them.

Here’s an example using Python and `paramiko` for SSH automation:
```python
import paramiko

def execute_asa_command(host, username, password, command):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(host, username=username, password=password)
stdin, stdout, stderr = ssh.exec_command(command)
return stdout.read().decode()

devices = ['ASA1_IP', 'ASA2_IP', 'ASA3_IP'] # List of ASA devices
for device in devices:
print(f"Connecting to {device}")
result = execute_asa_command(device, 'username', 'password', 'show access-list | include ^access-list|hitcnt=0')
print(result)
```

### Final Thoughts:
- **First step**: Run the `show access-list | include ^access-list|hitcnt=0` command to gather the data you need.
- **Second step**: Use a script to filter ACLs with hitcnt=0.
- **Third step**: Automate the removal or disabling of those ACLs.

This method gives you a definitive, automated approach to achieve the task you outlined, minimizing manual intervention and ensuring consistency across all devices.

topic How to View ACCESS LIST in ASA with counter 0 via CLI & disable in Network Security

How to View ACCESS LIST in ASA with counter 0 via CLI & disable

Re: How to View ACCESS LIST in ASA with counter 0 via CLI & disabl