Show access-list help on ASA

Justin Westover · ‎02-22-2012

I am trying to view a specific line count of access lists on the ASA. Current if I run show access-list inside_access_in I can't specify the line I would like to filter on. I'm trying to view all hits on ACE (access list entries) on line 2. So i'm running the command show access-list inside_access_in | grep -v (hitcnt=0). This tells the ASA to show me all ACLs on the ASA with a hitcnt that is not = to 0. That part works fine but I would like to only show the line 2 ACLs instead of everyone of the ACLs on the ASA. Is there a regular expression or something I can do for this?

Marvin Rhoads · ‎02-22-2012

Why not just:

show access-list inside_access_in | grep (line 2)

?

Sure you'll get an output whether or not the hitcnt=0 but is that important?

Justin Westover · ‎02-23-2012

well because line 2 has thousands of actual lines and I don't want to sift through them all. I want to look at all line 2 entries which have a hitcnt(not equal to)0.

Matt Lang · ‎02-23-2012

The only way I can think of getting this information is to do a 'sh access-list inside_access_in | ex hitcnt=0'. This will show you every line where the hitcnt does not equal zero, but if you save the output to a file you can then grab the relevant information you are looking for from that text file.

Matt

Marvin Rhoads · ‎02-23-2012

I don't think you have the flexibility with the limited regex support in the ASA to do the logical AND.

You should be able to capture the lengthy output and then create a script in your external tool of choice to post-process the output winnowing it down to the interesting entries.

Justin Westover · ‎02-23-2012

Yes, I am aware of the command to exlude the hitcnt=0, that is what i'm using currently. I have many lines of ACLs though so the AND operation would be really nice to have.

tremorph3us · ‎09-12-2013

from

https://www.m00nie.com/2011/09/cisco-pipe-options-and-some-regex-examples/

There is no “real” AND function but you can use .* (dot then star) to match everything between two other expressions. below we match acls from 192.168.15-19.x AND that have a hit count of zero..

show access-list | inc 192.168.1[5-9].*cnt=0

gagan0001 · ‎05-28-2018

Hi,

How can i filter specific access list between source IP & destination ip with port no(tcp/udp) using show command.Suppose below is the source & destination.

Source IP is 192.168.1.1

Destination IP is 10.1.1.1

port no. is (tcp 22)

Firewall is between source & destination & firewall rule is already opened between source & destination.How can i check specific access list between source ip & destination IP for port no 22.

asadovnikov · ‎04-14-2016

This should do it

show access-list inside_access_in | i line 2 .*hitcnt=[1-9]

iswift · ‎10-12-2016

Hi

I don't know if you are interested in the ACL as a whole (if say, it concerns a group object for a collection of IPs), or one IP.

If you want one IP then see the below from another post of mine;

As you know the access-list name and the IP you are interested in , you can do this fairly easily;

show access-list acl_name ip_addr

This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.

Hope this helps.

Ian

Obviously you could then also pipe the output to an include|exclude|grep operator, but in the first place you are letting the ASA do a bit of logic to only include entries that are relevant to you.

Luci · ‎04-17-2020

Replying to this as I found it looking for something else and thought this might help others who end up here.

to search for hit counts in the asa (ios 9.10.1)

show access-list | i ^access.*hitcnt=[1-9]

this will give you everything that starts with access and has a hitcnt with any number value. You can play with it to suit your needs. Hope this helps.