topic Show access-list help on ASA in Network Security

Show access-list help on ASA

Justin Westover — Mon, 11 Mar 2019 22:33:55 GMT

I am trying to view a specific line count of access lists on the ASA. Current if I run show access-list inside_access_in I can't specify the line I would like to filter on. I'm trying to view all hits on ACE (access list entries) on line 2. So i'm running the command show access-list inside_access_in | grep -v (hitcnt=0). This tells the ASA to show me all ACLs on the ASA with a hitcnt that is not = to 0. That part works fine but I would like to only show the line 2 ACLs instead of everyone of the ACLs on the ASA. Is there a regular expression or something I can do for this?

Show access-list help on ASA

Marvin Rhoads — Wed, 22 Feb 2012 22:34:33 GMT

Why not just:

show access-list inside_access_in | grep (line 2)

Sure you'll get an output whether or not the hitcnt=0 but is that important?

Show access-list help on ASA

Justin Westover — Thu, 23 Feb 2012 19:58:17 GMT

well because line 2 has thousands of actual lines and I don't want to sift through them all. I want to look at all line 2 entries which have a hitcnt(not equal to)0.

Show access-list help on ASA

Matt Lang — Thu, 23 Feb 2012 20:29:08 GMT

The only way I can think of getting this information is to do a 'sh access-list inside_access_in | ex hitcnt=0'. This will show you every line where the hitcnt does not equal zero, but if you save the output to a file you can then grab the relevant information you are looking for from that text file.

Matt

Show access-list help on ASA

Marvin Rhoads — Thu, 23 Feb 2012 20:32:18 GMT

I don't think you have the flexibility with the limited regex support in the ASA to do the logical AND.

You should be able to capture the lengthy output and then create a script in your external tool of choice to post-process the output winnowing it down to the interesting entries.

Show access-list help on ASA

Justin Westover — Thu, 23 Feb 2012 20:34:30 GMT

Yes, I am aware of the command to exlude the hitcnt=0, that is what i'm using currently. I have many lines of ACLs though so the AND operation would be really nice to have.

Show access-list help on ASA

tremorph3us — Thu, 12 Sep 2013 11:12:46 GMT

from

https://www.m00nie.com/2011/09/cisco-pipe-options-and-some-regex-examples/

There is no “real” AND function but you can use .* (dot then star) to match everything between two other expressions. below we match acls from 192.168.15-19.x AND that have a hit count of zero..

show access-list | inc 192.168.1[5-9].*cnt=0

This should do it

asadovnikov — Fri, 15 Apr 2016 04:04:43 GMT

This should do it

show access-list inside_access_in | i line 2 .*hitcnt=[1-9]

Hi

iswift — Wed, 12 Oct 2016 17:08:53 GMT

I don't know if you are interested in the ACL as a whole (if say, it concerns a group object for a collection of IPs), or one IP.

If you want one IP then see the below from another post of mine;

As you know the access-list name and the IP you are interested in , you can do this fairly easily;

show access-list acl_name ip_addr

This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.

Hope this helps.

Ian

Obviously you could then also pipe the output to an include|exclude|grep operator, but in the first place you are letting the ASA do a bit of logic to only include entries that are relevant to you.

Re: Show access-list in source IP & destination IP

gagan0001 — Mon, 28 May 2018 09:48:04 GMT

Hi,

How can i filter specific access list between source IP & destination ip with port no(tcp/udp) using show command.Suppose below is the source & destination.

Source IP is 192.168.1.1

Destination IP is 10.1.1.1

port no. is (tcp 22)

Firewall is between source & destination & firewall rule is already opened between source & destination.How can i check specific access list between source ip & destination IP for port no 22.

Re: Hi

Luci — Fri, 17 Apr 2020 17:48:38 GMT

Replying to this as I found it looking for something else and thought this might help others who end up here.

to search for hit counts in the asa (ios 9.10.1)

show access-list | i ^access.*hitcnt=[1-9]

this will give you everything that starts with access and has a hitcnt with any number value. You can play with it to suit your needs. Hope this helps.