cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


23167
Views
20
Helpful
9
Replies

Show access-list help on ASA

I am trying to view a specific line count of access lists on the ASA. Current if I run show access-list inside_access_in I can't specify the line I would like to filter on. I'm trying to view all hits on ACE (access list entries) on line 2. So i'm running the command show access-list inside_access_in | grep -v (hitcnt=0). This tells the ASA to show me all ACLs on the ASA with a hitcnt that is not = to 0. That part works fine but I would like to only show the line 2 ACLs instead of everyone of the ACLs on the ASA. Is there a regular expression or something I can do for this?

Everyone's tags (5)
9 REPLIES 9
Hall of Fame Master

Show access-list help on ASA

Why not just:

     show access-list inside_access_in | grep (line 2)

?

Sure you'll get an output whether or not the hitcnt=0 but is that important?

Show access-list help on ASA

well because line 2 has thousands of actual lines and I don't want to sift through them all. I want to look at all line 2 entries which have a hitcnt(not equal to)0.

Beginner

Show access-list help on ASA

The only way I can think of getting this information is to do a 'sh access-list inside_access_in | ex hitcnt=0'.  This will show you every line where the hitcnt does not equal zero, but if you save the output to a file you can then grab the relevant information you are looking for from that text file.

Matt

Hall of Fame Master

Show access-list help on ASA

I don't think you have the flexibility with the limited regex support in the ASA to do the logical AND.

You should be able to capture the lengthy output and then create a script in your external tool of choice to post-process the output winnowing it down to the interesting entries.

Show access-list help on ASA

Yes, I am aware of the command to exlude the hitcnt=0, that is what i'm using currently. I have many lines of ACLs though so the AND operation would be really nice to have.

Beginner

Show access-list help on ASA

from

https://www.m00nie.com/2011/09/cisco-pipe-options-and-some-regex-examples/

There is no “real” AND function but you can use .* (dot then star) to  match everything between two other expressions. below we match acls from  192.168.15-19.x AND that have a hit count of zero..

show access-list | inc 192.168.1[5-9].*cnt=0
Highlighted
Beginner

Re: Show access-list in source IP & destination IP

Hi,

How can i filter specific access list between source IP & destination ip with port no(tcp/udp) using show command.Suppose below is the source & destination.

 

Source IP is 192.168.1.1

Destination IP is 10.1.1.1

port no. is (tcp 22)

Firewall is between source & destination & firewall rule is already opened between source & destination.How can i check specific access list between source ip & destination IP for port no 22.

 

Beginner

This should do it

This should do it

show access-list inside_access_in | i line 2 .*hitcnt=[1-9]
Beginner

Hi

Hi

I don't know if you are interested in the ACL as a whole (if say, it concerns a group object for a collection of IPs), or one IP.

If you want one IP then see the below from another post of mine;

As you know the access-list name and the IP you are interested in , you can do this fairly easily;

show access-list acl_name ip_addr

This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.

Hope this helps.

Ian

Obviously you could then also pipe the output to an include|exclude|grep operator, but in the first place you are letting the ASA do a bit of logic to only include entries that are relevant to you.