10-30-2015 06:03 AM - edited 03-11-2019 11:48 PM
Hi
We have a physcial firewall (ASA running 9.X) which is running in multiple perivate context. Due to the nature of network we have hundreds of access-list for one DMZ/interfces which makes it very tough some time to troubleshoot individual lines. I need some advise/tips toon how to fiilter access-lists and network objects which show commands
for example if we have a object-group and we have 40 servers in that and i have to trace a single IP communication on access-list to see the hits what will be teh command for example source is coming from anotehr DMZ with ABCD network-object and destination (40 servers) object name is ZZZZ and i need to see the hits on 1.1.1.1 (one of the 40 servers) from source.
fro example the access-list would be
access-list extended tcp permit object ABCD object-group zzzz eq 443
Now i only need to filter the 1.1.1.1 access-list and see the hits (heard there are some greb command)
any other trouble shooting ASA (show commands) would also be highly appiciated
Thanks again guys
10-30-2015 09:42 AM
Hi,
'show run access-list' command only shows access-list on the basis of objects while 'show access-list' shows the expanded version of these Entity. Also it shows hit counts associated with that access-list entry.
therefore you could try something like 'show access-list | in 1.1.1.1' and it would show you the access-list entry and would be having a hit count for that.
I belive you could try searching for the source IP in the access-list on ASDM. It does have hit count column as well.
Regards,
Akshay Rastogi
10-30-2015 09:43 AM
You didn't provide an access-list name in your post, so we'll call it "myACL."
Let me know if I didn't understand your question correctly, but based on what I understood you want to see hits on an ACL matching the source IP of 1.1.1.1 destined for a particular host in object-group ZZZZ.
Try:
show access-list myACL | include 1.1.1.1|ZZZZ
Replace ZZZZ with the destination IP.
This will show an entry similar to this:
access-list myACL line # extended permit tcp host 1.1.1.1 host ZZZZ eq 443 (hitcnt=###) 0x08e5811d
10-12-2016 10:04 AM
As you know the access-list name and the IP you are interested in , you can do this fairly easily;
show access-list acl_name ip_addr
This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.
Hope this helps.
Ian
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: