https://community.cisco.com/t5/network-security/what-is-cisco-pix-access-list-elements/m-p/2444995#M270292 <P>Hi,</P><P>I have a pix-515e firewall with 7(0)x verion of image. when i issue sh run, i cud see 1000 lines of acls, and when i issue show access-list i could see that there are 30000 access list elements. <BR />what is the diff between access list elements and acl lines ?<BR />how to reduce the acl elements ?</P><P>thanks,<BR />rajesh</P> Tue, 12 Mar 2019 03:40:30 GMT secureIT 2019-03-12T03:40:30Z https://community.cisco.com/t5/network-security/what-is-cisco-pix-access-list-elements/m-p/2444995#M270292 <P>Hi,</P><P>I have a pix-515e firewall with 7(0)x verion of image. when i issue sh run, i cud see 1000 lines of acls, and when i issue show access-list i could see that there are 30000 access list elements. <BR />what is the diff between access list elements and acl lines ?<BR />how to reduce the acl elements ?</P><P>thanks,<BR />rajesh</P> Tue, 12 Mar 2019 03:40:30 GMT https://community.cisco.com/t5/network-security/what-is-cisco-pix-access-list-elements/m-p/2444995#M270292 secureIT 2019-03-12T03:40:30Z https://community.cisco.com/t5/network-security/what-is-cisco-pix-access-list-elements/m-p/2444996#M270294 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I imagine that you have ACL configuration that utilizes <STRONG>"object-group"</STRONG> in the configuration. This essentially means that you ACL configuration is shorter than the actual full ACL that the ASA uses.</P><P></P><P>Take for example these 2 configurations</P><P></P><P><SPAN style="text-decoration: underline;">Example 1</SPAN></P><P></P><P><STRONG>access-list TEST-1 permit ip any any</STRONG></P><P></P><P><STRONG>ASA(config)# sh access-list TEST-1</STRONG></P><P><STRONG>access-list TEST-1; 1 elements; name hash: 0x5f8608f2</STRONG></P><P><STRONG>access-list TEST-1 line 1 extended permit ip any any (hitcnt=0) 0xa45bef40</STRONG></P><P></P><P>As you can see from the above we only have a single configuration line. As it doesnt have any <STRONG>"object-group"</STRONG> used for either services or IP address/networks it means that it only contains this single rule. So there is only a single <STRONG>"element"</STRONG></P><P></P><P></P><P><SPAN style="text-decoration: underline;">Example 2</SPAN></P><P></P><P><STRONG>object-group network TEST</STRONG></P><P><STRONG> network-object host 1.1.1.1</STRONG></P><P><STRONG> network-object host 1.1.1.2</STRONG></P><P><STRONG> network-object host 1.1.1.3</STRONG></P><P><STRONG> network-object host 1.1.1.4</STRONG></P><P></P><P><STRONG>access-list TEST-2 permit ip any object-group TEST</STRONG></P><P></P><P><STRONG>ASA(config)# sh access-list TEST-2</STRONG></P><P><STRONG>access-list TEST-2; 4 elements; name hash: 0xc7ff2230</STRONG></P><P><STRONG>access-list TEST-2 line 1 extended permit ip any object-group TEST 0xabbab304</STRONG></P><P><STRONG>&nbsp; access-list TEST-2 line 1 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x8af4a0e1</STRONG></P><P><STRONG>&nbsp; access-list TEST-2 line 1 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xbd31ccb2</STRONG></P><P><STRONG>&nbsp; access-list TEST-2 line 1 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x32e99e16</STRONG></P><P><STRONG>&nbsp; access-list TEST-2 line 1 extended permit ip any host 1.1.1.4 (hitcnt=0) 0xcb4432ae</STRONG></P><P></P><P>As you can see from the above example we first create an <STRONG>"object-group"</STRONG> that contains 4 IP addresses and then we use this <STRONG>"object-group"</STRONG> as the destination address of the single ACL configuration line. This means the actual rule is that we permit traffic to all 4 of these destination IP addresses in the configuration and therefore it has 4 <STRONG>"elements"</STRONG></P><P></P><P>So you ACL configuration might include large amounts of <STRONG>"object-group"</STRONG> used. You would have to see if all of them are needed. For example if you use <STRONG>"object-group service"</STRONG> type of <STRONG>"object-group"</STRONG> in your configuratins with several ports defined then this will easily generate a lot of extra ACL "elements"</P><P></P><P>Hope this helps <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>- Jouni</P></BODY></HTML> Wed, 05 Feb 2014 14:40:47 GMT https://community.cisco.com/t5/network-security/what-is-cisco-pix-access-list-elements/m-p/2444996#M270294 Jouni Forss 2014-02-05T14:40:47Z https://community.cisco.com/t5/network-security/what-is-cisco-pix-access-list-elements/m-p/2444997#M270298 <HTML><HEAD></HEAD><BODY><P>Thanks Jouni. You are right. I had confirmed the same with Cisco Tac yesterday.</P><P>Well anyway to optimize ACL lookup in PIX 7(0) versions.</P></BODY></HTML> Thu, 06 Feb 2014 14:09:57 GMT https://community.cisco.com/t5/network-security/what-is-cisco-pix-access-list-elements/m-p/2444997#M270298 secureIT 2014-02-06T14:09:57Z