Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1329
Views
5
Helpful
3
Replies

ASA show commands

The_guroo_2
Level 2
Level 2

‎10-30-2015 06:03 AM - edited ‎03-11-2019 11:48 PM

Hi

We have a physcial firewall (ASA running 9.X) which is running in multiple perivate context. Due to the nature of network we have hundreds of access-list for one DMZ/interfces which makes it very tough some time to troubleshoot individual lines. I need some advise/tips toon how to fiilter access-lists and network objects which show commands

for example if we have a object-group and we have 40 servers in that and i have to trace a single IP communication on access-list to see the hits what will be teh command for example source is coming from anotehr DMZ with ABCD network-object and destination (40 servers) object name is ZZZZ and i need to see the hits on 1.1.1.1 (one of the 40 servers) from source.

fro example the access-list would be 

access-list extended tcp permit object ABCD object-group zzzz eq 443

Now i only need to filter the 1.1.1.1 access-list and see the hits (heard there are some greb command)

any other trouble shooting ASA (show commands) would also be highly appiciated

Thanks again guys

Labels:
0 Helpful
3 Replies 3

Akshay Rastogi
Cisco Employee
Cisco Employee

‎10-30-2015 09:42 AM

Hi,

'show run access-list' command only shows access-list on the basis of objects while 'show access-list' shows the expanded version of these Entity. Also it shows hit counts associated with that access-list entry.

therefore you could try something like 'show access-list | in 1.1.1.1' and it would show you the access-list entry and would be having a hit count for that.

I belive you could try searching for the source IP in the access-list on ASDM. It does have hit count column as well.

Regards,

Akshay Rastogi

0 Helpful

jj27
Spotlight
Spotlight

‎10-30-2015 09:43 AM

You didn't provide an access-list name in your post, so we'll call it "myACL."

Let me know if I didn't understand your question correctly, but based on what I understood you want to see hits on an ACL matching the source IP of 1.1.1.1 destined for a particular host in object-group ZZZZ.  

Try:

show access-list myACL | include 1.1.1.1|ZZZZ

Replace ZZZZ with the destination IP.

This will show an entry similar to this:

access-list myACL line # extended permit tcp host 1.1.1.1 host ZZZZ eq 443 (hitcnt=###) 0x08e5811d

iswift
Level 1
Level 1

‎10-12-2016 10:04 AM

As you know the access-list name and the IP you are interested in , you can do this fairly easily;

show access-list acl_name ip_addr

This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.

Hope this helps.

Ian

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card