cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2029
Views
0
Helpful
6
Replies

ASA show access-list

ring zer0
Level 1
Level 1

Using OS Code: 9.10(1)27

When I do show access-list it gives me output with ACLs having object-groups in source and destination however under that it also list the IPs covered under that object group. I do not want that detailed listing and only the ACLs.

Which syntax can help solve the issue?

 

Example:

access-list FROM_INSIDE line 210 extended permit tcp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=579365) 0xf1ddea09
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0xd70b150e
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=577245) 0x9f14c919
access-list FROM_INSIDE line 211 extended permit udp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=233) 0x8e1fe74c
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0x499db61a
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=233) 0xa10ea8f2

 

Want to get rid of line 2,3,5,6 in the output.

6 Replies 6

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

If you don't want the ACL expansion, why not just use sh run | inc access-list

 

 

cheers,

Seb.

2 Reasons
1 ) I want to filter out all ACLs with DNS and when I tried "sh run | incl access-list | incl domain" it does not work as expected.
2 ) I also want to see hit counts on ACLs which "show run" does not shows.

After the initial pipe ( | ) any subsequent vertical bar is interpreted as a logical OR.

 

You could try sh run access-list | inc domain

 

Unfortunately there are no attributes you could regex which would exclude the expanded ACL output. Something like:

^\s{2}access-list

 

...would work great! As it is, if you want hit counts you have to use sh access-list. You could always export the output to a text handler which is more regex compliant?

 

cheers,

Seb.

That's what I am doing , get output from show access-list | incl domain , copy in notepad and remove the undesired parts. Thought there might be a automated workaround for this.

You mention notepad so you must be using windows. If you have access to Linux, the process can be achieved with the following command:

grep -v '^\s\saccess-list' acl_input.txt  > acl_output.txt

acl_input.txt would contain:

access-list foobar line 1 ext permit object-group FOO …
  access-list foobar line 1 ext permit 192.168.1.1 …
  access-list foobar line 1 ext permit 192.168.1.2 …

..the resulting output (acl_output.txt) would contain just:

access-list foobar line 1 ext permit object-group FOO …

I know Notepad++ support regex search, you might be able to leverage that to produce the output. Or just spin up a Linux VM.

 

cheers,

Seb.

cosmic
Level 1
Level 1

I agree that this is annoying, that there seems to be no command to allow seeing the hitcounts of the policies, but not the expansion.

I have discovered a way to see the hitcounts, without the expansion. Because the lines of the expansion are indented two spaces. you can use the following command to just see the non-expansion lines:

show access-list | exclude . access-list

Note, that is 'show access-list | ex (dot)(space)access-list'. I suspect regex gurus may have a cleaner way to do this, but it works.

This does not inherently match your example, as also excluding lines with 'domain' might be tricky.

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: