cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA show commands

The_guroo_2
Explorer
Explorer

Hi

We have a physcial firewall (ASA running 9.X) which is running in multiple perivate context. Due to the nature of network we have hundreds of access-list for one DMZ/interfces which makes it very tough some time to troubleshoot individual lines. I need some advise/tips toon how to fiilter access-lists and network objects which show commands

for example if we have a object-group and we have 40 servers in that and i have to trace a single IP communication on access-list to see the hits what will be teh command for example source is coming from anotehr DMZ with ABCD network-object and destination (40 servers) object name is ZZZZ and i need to see the hits on 1.1.1.1 (one of the 40 servers) from source.

fro example the access-list would be 

access-list extended tcp permit object ABCD object-group zzzz eq 443

Now i only need to filter the 1.1.1.1 access-list and see the hits (heard there are some greb command)

any other trouble shooting ASA (show commands) would also be highly appiciated

Thanks again guys

3 REPLIES 3

Akshay Rastogi
Cisco Employee
Cisco Employee

Hi,

'show run access-list' command only shows access-list on the basis of objects while 'show access-list' shows the expanded version of these Entity. Also it shows hit counts associated with that access-list entry.

therefore you could try something like 'show access-list | in 1.1.1.1' and it would show you the access-list entry and would be having a hit count for that.

I belive you could try searching for the source IP in the access-list on ASDM. It does have hit count column as well.

Regards,

Akshay Rastogi

jj27
Rising star
Rising star

You didn't provide an access-list name in your post, so we'll call it "myACL."

Let me know if I didn't understand your question correctly, but based on what I understood you want to see hits on an ACL matching the source IP of 1.1.1.1 destined for a particular host in object-group ZZZZ.  

Try:

show access-list myACL | include 1.1.1.1|ZZZZ

Replace ZZZZ with the destination IP.

This will show an entry similar to this:

access-list myACL line # extended permit tcp host 1.1.1.1 host ZZZZ eq 443 (hitcnt=###) 0x08e5811d

iswift
Beginner
Beginner

As you know the access-list name and the IP you are interested in , you can do this fairly easily;

show access-list acl_name ip_addr

This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.

Hope this helps.

Ian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: