10-30-2015 06:03 AM - edited 03-11-2019 11:48 PM
Hi
We have a physcial firewall (ASA running 9.X) which is running in multiple perivate context. Due to the nature of network we have hundreds of access-list for one DMZ/interfces which makes it very tough some time to troubleshoot individual lines. I need some advise/tips toon how to fiilter access-lists and network objects which show commands
for example if we have a object-group and we have 40 servers in that and i have to trace a single IP communication on access-list to see the hits what will be teh command for example source is coming from anotehr DMZ with ABCD network-object and destination (40 servers) object name is ZZZZ and i need to see the hits on 1.1.1.1 (one of the 40 servers) from source.
fro example the access-list would be
access-list extended tcp permit object ABCD object-group zzzz eq 443
Now i only need to filter the 1.1.1.1 access-list and see the hits (heard there are some greb command)
any other trouble shooting ASA (show commands) would also be highly appiciated
Thanks again guys
10-30-2015 09:42 AM
Hi,
'show run access-list' command only shows access-list on the basis of objects while 'show access-list' shows the expanded version of these Entity. Also it shows hit counts associated with that access-list entry.
therefore you could try something like 'show access-list | in 1.1.1.1' and it would show you the access-list entry and would be having a hit count for that.
I belive you could try searching for the source IP in the access-list on ASDM. It does have hit count column as well.
Regards,
Akshay Rastogi
10-30-2015 09:43 AM
You didn't provide an access-list name in your post, so we'll call it "myACL."
Let me know if I didn't understand your question correctly, but based on what I understood you want to see hits on an ACL matching the source IP of 1.1.1.1 destined for a particular host in object-group ZZZZ.
Try:
show access-list myACL | include 1.1.1.1|ZZZZ
Replace ZZZZ with the destination IP.
This will show an entry similar to this:
access-list myACL line # extended permit tcp host 1.1.1.1 host ZZZZ eq 443 (hitcnt=###) 0x08e5811d
10-12-2016 10:04 AM
As you know the access-list name and the IP you are interested in , you can do this fairly easily;
show access-list acl_name ip_addr
This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.
Hope this helps.
Ian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide