We have a physcial firewall (ASA running 9.X) which is running in multiple perivate context. Due to the nature of network we have hundreds of access-list for one DMZ/interfces which makes it very tough some time to troubleshoot individual lines. I need some advise/tips toon how to fiilter access-lists and network objects which show commands
for example if we have a object-group and we have 40 servers in that and i have to trace a single IP communication on access-list to see the hits what will be teh command for example source is coming from anotehr DMZ with ABCD network-object and destination (40 servers) object name is ZZZZ and i need to see the hits on 18.104.22.168 (one of the 40 servers) from source.
'show run access-list' command only shows access-list on the basis of objects while 'show access-list' shows the expanded version of these Entity. Also it shows hit counts associated with that access-list entry.
therefore you could try something like 'show access-list | in 22.214.171.124' and it would show you the access-list entry and would be having a hit count for that.
I belive you could try searching for the source IP in the access-list on ASDM. It does have hit count column as well.
You didn't provide an access-list name in your post, so we'll call it "myACL."
Let me know if I didn't understand your question correctly, but based on what I understood you want to see hits on an ACL matching the source IP of 126.96.36.199 destined for a particular host in object-group ZZZZ.