Cisco Community
English
Register
LEARN MORE about Cisco's cybersecurity announcements this week
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


177
Views
0
Helpful
5
Replies
ring zer0
ring zer0 Beginner
Beginner
‎10-07-2019 06:18 AM
‎10-07-2019 06:18 AM

ASA show access-list

Using OS Code: 9.10(1)27

When I do show access-list it gives me output with ACLs having object-groups in source and destination however under that it also list the IPs covered under that object group. I do not want that detailed listing and only the ACLs.

Which syntax can help solve the issue?

 

Example:

access-list FROM_INSIDE line 210 extended permit tcp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=579365) 0xf1ddea09
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0xd70b150e
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=577245) 0x9f14c919
access-list FROM_INSIDE line 211 extended permit udp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=233) 0x8e1fe74c
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0x499db61a
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=233) 0xa10ea8f2

 

Want to get rid of line 2,3,5,6 in the output.

Labels:
0 Helpful
Reply
5 REPLIES 5
Seb Rupik
VIP Advisor Seb Rupik VIP Advisor
VIP Advisor
‎10-07-2019 06:35 AM
‎10-07-2019 06:35 AM

Re: ASA show access-list

Hi there,

If you don't want the ACL expansion, why not just use sh run | inc access-list

 

 

cheers,

Seb.

0 Helpful
Reply
ring zer0
ring zer0 Beginner
Beginner
‎10-07-2019 06:40 AM
‎10-07-2019 06:40 AM

Re: ASA show access-list

2 Reasons
1 ) I want to filter out all ACLs with DNS and when I tried "sh run | incl access-list | incl domain" it does not work as expected.
2 ) I also want to see hit counts on ACLs which "show run" does not shows.
0 Helpful
Reply
Seb Rupik
VIP Advisor Seb Rupik VIP Advisor
VIP Advisor
‎10-07-2019 06:56 AM
‎10-07-2019 06:56 AM

Re: ASA show access-list

After the initial pipe ( | ) any subsequent vertical bar is interpreted as a logical OR.

 

You could try sh run access-list | inc domain

 

Unfortunately there are no attributes you could regex which would exclude the expanded ACL output. Something like:

^\s{2}access-list

 

...would work great! As it is, if you want hit counts you have to use sh access-list. You could always export the output to a text handler which is more regex compliant?

 

cheers,

Seb.

0 Helpful
Reply
ring zer0
ring zer0 Beginner
Beginner
‎10-07-2019 07:01 AM
‎10-07-2019 07:01 AM

Re: ASA show access-list

That's what I am doing , get output from show access-list | incl domain , copy in notepad and remove the undesired parts. Thought there might be a automated workaround for this.

0 Helpful
Reply
Highlighted
Seb Rupik
VIP Advisor Seb Rupik VIP Advisor
VIP Advisor
‎10-07-2019 07:17 AM
‎10-07-2019 07:17 AM

Re: ASA show access-list

You mention notepad so you must be using windows. If you have access to Linux, the process can be achieved with the following command:

grep -v '^\s\saccess-list' acl_input.txt  > acl_output.txt

acl_input.txt would contain:

access-list foobar line 1 ext permit object-group FOO …
  access-list foobar line 1 ext permit 192.168.1.1 …
  access-list foobar line 1 ext permit 192.168.1.2 …

..the resulting output (acl_output.txt) would contain just:

access-list foobar line 1 ext permit object-group FOO …

I know Notepad++ support regex search, you might be able to leverage that to produce the output. Or just spin up a Linux VM.

 

cheers,

Seb.

Everyone's tags (1)
0 Helpful
Reply
Latest Contents
How to find/get the registration key from FTD
Created by Eahwar34 on 12-06-2019 03:14 AM
0
0
0
0
We are in need of finding registration key used for our FTD , unfortunately we have forget the key and also it is encrypted . How to find the key from FTD ?
ISE My Devices & Sponsor Portal as a User Change Password Po...
Created by Jason Kunst on 12-05-2019 10:24 AM
0
0
0
0
This is to address those customers coming to ISE from ACS or new to ISE that need a password change portal (UCP) What are the licensing requirements for this solution? My Devices - For using the password change with My Devices you need plus licenses as ... view more
WHITEPAPER - Firepower Threat Defense Cloud Management with ...
Created by Marvin Rhoads on 11-29-2019 07:57 PM
0
10
0
10
  Overview   In this paper we will document the configuration and operation of an integrated solution that includes identity management, firewall, cloud-based management, and cloud-based logging. We will use the following Cisco products: Fu... view more
How Does Cisco Defense Orchestrator Manage Firepower Threat ...
Created by suhegade on 11-26-2019 09:06 PM
0
0
0
0
These days everything is in the cloud. We all know that Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. Using Cisco Defense Orchestrator (CDO), you can manage physical or virt... view more
How Does Cisco Defense Orchestrator Manage Adaptive Security...
Created by suhegade on 11-26-2019 09:03 PM
0
10
0
10
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that provides a simple, consistent, and highly secure way of managing security policies on all your ASA devices. CDO helps you optimize your ASA environment by identifying problems wi... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
FusionCharts will render here