cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


177
Views
0
Helpful
5
Replies
Beginner

ASA show access-list

Using OS Code: 9.10(1)27

When I do show access-list it gives me output with ACLs having object-groups in source and destination however under that it also list the IPs covered under that object group. I do not want that detailed listing and only the ACLs.

Which syntax can help solve the issue?

 

Example:

access-list FROM_INSIDE line 210 extended permit tcp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=579365) 0xf1ddea09
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0xd70b150e
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=577245) 0x9f14c919
access-list FROM_INSIDE line 211 extended permit udp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=233) 0x8e1fe74c
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0x499db61a
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=233) 0xa10ea8f2

 

Want to get rid of line 2,3,5,6 in the output.

5 REPLIES 5
VIP Advisor

Re: ASA show access-list

Hi there,

If you don't want the ACL expansion, why not just use sh run | inc access-list

 

 

cheers,

Seb.

Beginner

Re: ASA show access-list

2 Reasons
1 ) I want to filter out all ACLs with DNS and when I tried "sh run | incl access-list | incl domain" it does not work as expected.
2 ) I also want to see hit counts on ACLs which "show run" does not shows.
VIP Advisor

Re: ASA show access-list

After the initial pipe ( | ) any subsequent vertical bar is interpreted as a logical OR.

 

You could try sh run access-list | inc domain

 

Unfortunately there are no attributes you could regex which would exclude the expanded ACL output. Something like:

^\s{2}access-list

 

...would work great! As it is, if you want hit counts you have to use sh access-list. You could always export the output to a text handler which is more regex compliant?

 

cheers,

Seb.

Beginner

Re: ASA show access-list

That's what I am doing , get output from show access-list | incl domain , copy in notepad and remove the undesired parts. Thought there might be a automated workaround for this.

Highlighted
VIP Advisor

Re: ASA show access-list

You mention notepad so you must be using windows. If you have access to Linux, the process can be achieved with the following command:

grep -v '^\s\saccess-list' acl_input.txt  > acl_output.txt

acl_input.txt would contain:

access-list foobar line 1 ext permit object-group FOO …
  access-list foobar line 1 ext permit 192.168.1.1 …
  access-list foobar line 1 ext permit 192.168.1.2 …

..the resulting output (acl_output.txt) would contain just:

access-list foobar line 1 ext permit object-group FOO …

I know Notepad++ support regex search, you might be able to leverage that to produce the output. Or just spin up a Linux VM.

 

cheers,

Seb.

Everyone's tags (1)
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here