cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2773
Views
0
Helpful
9
Replies

ASA show access-list

ring zer0
Level 1
Level 1

Using OS Code: 9.10(1)27

When I do show access-list it gives me output with ACLs having object-groups in source and destination however under that it also list the IPs covered under that object group. I do not want that detailed listing and only the ACLs.

Which syntax can help solve the issue?

 

Example:

access-list FROM_INSIDE line 210 extended permit tcp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=579365) 0xf1ddea09
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0xd70b150e
access-list FROM_INSIDE line 210 extended permit tcp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=577245) 0x9f14c919
access-list FROM_INSIDE line 211 extended permit udp object-group TEST object-group TEST2 eq domain log informational interval 300 (hitcnt=233) 0x8e1fe74c
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.34 eq domain log informational interval 300 (hitcnt=0) 0x499db61a
access-list FROM_INSIDE line 211 extended permit udp host 10.10.11.38 host 172.16.16.36 eq domain log informational interval 300 (hitcnt=233) 0xa10ea8f2

 

Want to get rid of line 2,3,5,6 in the output.

9 Replies 9

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

If you don't want the ACL expansion, why not just use sh run | inc access-list

 

 

cheers,

Seb.

2 Reasons
1 ) I want to filter out all ACLs with DNS and when I tried "sh run | incl access-list | incl domain" it does not work as expected.
2 ) I also want to see hit counts on ACLs which "show run" does not shows.

After the initial pipe ( | ) any subsequent vertical bar is interpreted as a logical OR.

 

You could try sh run access-list | inc domain

 

Unfortunately there are no attributes you could regex which would exclude the expanded ACL output. Something like:

^\s{2}access-list

 

...would work great! As it is, if you want hit counts you have to use sh access-list. You could always export the output to a text handler which is more regex compliant?

 

cheers,

Seb.

That's what I am doing , get output from show access-list | incl domain , copy in notepad and remove the undesired parts. Thought there might be a automated workaround for this.

You mention notepad so you must be using windows. If you have access to Linux, the process can be achieved with the following command:

grep -v '^\s\saccess-list' acl_input.txt  > acl_output.txt

acl_input.txt would contain:

access-list foobar line 1 ext permit object-group FOO …
  access-list foobar line 1 ext permit 192.168.1.1 …
  access-list foobar line 1 ext permit 192.168.1.2 …

..the resulting output (acl_output.txt) would contain just:

access-list foobar line 1 ext permit object-group FOO …

I know Notepad++ support regex search, you might be able to leverage that to produce the output. Or just spin up a Linux VM.

 

cheers,

Seb.

You can not use  "|  include" more than once in a single command.  But you may try

"sh run | incl access-list .* domain" which will include  all lines in the output, that match "access-list "  followed by any string followed  by "domain". The argument for "include"  is not a fixed string but  a  regular expression, and in regular expressions ""." matches any single character and ".*" an  sequence of 0 or more  characters.

"sh run | inc access-list" is  nott necessary,  you may  also  use  "sh run access-list". Youma also restrict  the  outputt  toone access-list, if you add tthe  access-listname  to the command:  "sh run access-list  FROM_INSIDE".  If you  also want to see  tthhe sequence numbers  and  tthe matches for every access-list  entry, you can try "show access-list FROM-INSIDE | inc ^a", because that will show  only the "unexpanded" lines (the "expanded" lines for each access-list entry begin with a blank character and will not match the regular  expression "^a",  so they will not be included in the output).

cosmic
Level 1
Level 1

I agree that this is annoying, that there seems to be no command to allow seeing the hitcounts of the policies, but not the expansion.

I have discovered a way to see the hitcounts, without the expansion. Because the lines of the expansion are indented two spaces. you can use the following command to just see the non-expansion lines:

show access-list | exclude . access-list

Note, that is 'show access-list | ex (dot)(space)access-list'. I suspect regex gurus may have a cleaner way to do this, but it works.

This does not inherently match your example, as also excluding lines with 'domain' might be tricky.

Hope this helps.

"I agree that this is annoying, that there seems to be no command to allow seeing the hitcounts of the policies, but not the expansion."

Bur  there is such a command.  If you  look carefull  on  te output of "show  access-list", you  may notice, that  the "expaned  lines"  areprefixed with a space. If you want  to  see  only  the access-list with hitcounts  but witout the expansions, you  can use "show access-list | include ^a" (wihch will not include  lines beginning wwit  a space).

Review Cisco Networking for a $25 gift card