I am trying to view a specific line count of access lists on the ASA. Current if I run show access-list inside_access_in I can't specify the line I would like to filter on. I'm trying to view all hits on ACE (access list entries) on line 2. So i'm running the command show access-list inside_access_in | grep -v (hitcnt=0). This tells the ASA to show me all ACLs on the ASA with a hitcnt that is not = to 0. That part works fine but I would like to only show the line 2 ACLs instead of everyone of the ACLs on the ASA. Is there a regular expression or something I can do for this?
Why not just:
show access-list inside_access_in | grep (line 2)
Sure you'll get an output whether or not the hitcnt=0 but is that important?
well because line 2 has thousands of actual lines and I don't want to sift through them all. I want to look at all line 2 entries which have a hitcnt(not equal to)0.
The only way I can think of getting this information is to do a 'sh access-list inside_access_in | ex hitcnt=0'. This will show you every line where the hitcnt does not equal zero, but if you save the output to a file you can then grab the relevant information you are looking for from that text file.
I don't think you have the flexibility with the limited regex support in the ASA to do the logical AND.
You should be able to capture the lengthy output and then create a script in your external tool of choice to post-process the output winnowing it down to the interesting entries.
Yes, I am aware of the command to exlude the hitcnt=0, that is what i'm using currently. I have many lines of ACLs though so the AND operation would be really nice to have.
There is no “real” AND function but you can use .* (dot then star) to match everything between two other expressions. below we match acls from 192.168.15-19.x AND that have a hit count of zero..
show access-list | inc 192.168.1[5-9].*cnt=0
How can i filter specific access list between source IP & destination ip with port no(tcp/udp) using show command.Suppose below is the source & destination.
Source IP is 192.168.1.1
Destination IP is 10.1.1.1
port no. is (tcp 22)
Firewall is between source & destination & firewall rule is already opened between source & destination.How can i check specific access list between source ip & destination IP for port no 22.
I don't know if you are interested in the ACL as a whole (if say, it concerns a group object for a collection of IPs), or one IP.
If you want one IP then see the below from another post of mine;
As you know the access-list name and the IP you are interested in , you can do this fairly easily;
show access-list acl_name ip_addr
This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.
Hope this helps.
Obviously you could then also pipe the output to an include|exclude|grep operator, but in the first place you are letting the ASA do a bit of logic to only include entries that are relevant to you.