ā07-10-2023 12:05 PM
How will I verify that which policy is currently active for incoming traffic received from Dmz ?
I will need to move internal traffic which is coming from Dmz to another firewall.
Please advice
Solved! Go to Solution.
ā07-10-2023 12:13 PM
ā07-10-2023 02:28 PM
you can see which rules are being hit in the access-list using either ASDM where you will see the hit count on the right of each rule, or using show access-list <access-list name> which will also show you a hit count for each rule.
ā07-10-2023 11:58 PM
DMZ interfaces are usually set at 50 security level, but they could be with any security level between 0 and 100. If you do "sh nameif" you should see the interfaces names as well as their security levels. From there take the interfaces names that are configured with a security level between 0 and 100 and run some packet capture on them while you are generating some traffic and check if you get any output. You can run packet capture with the command "cap < name > interface < the interface name > match ip host < source IP > host < destination IP >. Regarding the ACL hits, they won't give any details about the date/time, if you want to get those details you would need to add "log" keyword at the end of the interested ACL entries and then look at the firewall logs, but it is not recommended as it would consume more resources on the device.
ā07-11-2023 01:59 AM
You will not get a time and date on the hitcount unfortunately. So what you could do is clear the counter and let it run a week or two to get an indication of what is being used.
To see which access-list is being used for which interface, if that is what you mean, you can issue the show running-config access-group which will give you the access-list name and the interface it is associated with
ASAt# show running-config access-group
access-group <access-list> in interface <interface name>
ā07-11-2023 08:39 AM
Thanks, and appreciated your answer,
which option will clear heat counter?
ā07-11-2023 11:58 AM
You can use the command "clear access-list < the access list name > counters".
ā07-12-2023 02:21 AM
To clear the hit count in ASDM just right click the "Clear Hits" button in the toolbar above the search field. Or you can right click the specific rule you want to clear hits for and select "Clear Hits"
As for packet tracer, as mentioned by others here, you need to know what traffic you are trying to test and which interface this traffic will enter the ASA on from the source perspective. Usually the source port will be a random high port (I normally use port 12345) but you could actually use any port low or high as source.
ā07-10-2023 12:13 PM
best way is using packet tracer
see traffic which ACL hitting.
ā07-10-2023 03:51 PM - edited ā07-10-2023 03:52 PM
in Packet tracer which port mention as source port ?
destination port details i found from policy
ā07-10-2023 12:17 PM
Thanks for the update.
Can we check with heat count?
Can we check from any logs ?
Do I need to download packet tracert or is it inbuild in cisco ASA
I never use CISCO ASA so please guide me step by step that will be great help.
few applications pending to move from cisco ASA to new firewall so I am looking for which application still running in CISCO ASA
ā07-10-2023 12:22 PM
ā07-10-2023 02:28 PM
you can see which rules are being hit in the access-list using either ASDM where you will see the hit count on the right of each rule, or using show access-list <access-list name> which will also show you a hit count for each rule.
ā07-10-2023 03:54 PM
Can i get heat count latest date and time stamp to know when policy used last date and time?
ā07-10-2023 04:06 PM
How i can find out interal traffic to DMZ policy details from cisco asa 5525 ?>
ā07-11-2023 01:49 AM
again use packet tracer,
packet tracer input DMZ <subet in DMZ you want to check><subet in INside or OUTside> detail
this will give you exactly
1- NATing using
2- ACL using (INbound and OUTbound)
ā07-11-2023 08:43 AM
Thanks, and appreciated your update but when i open packet tracer in firewall policy i could not find source port details rest of things i can find out so what port mention as a source port.
ā07-11-2023 08:55 AM
You can use as port
12345 <<- randomly port number
Or
Specific port number if you want to check server.
For example
Packet tracer input DMZ tcp 1.1.1.1 80 2.2.2.2 12345
Or
Packet tracer input OUTside tcp 2.2.2.2 12345 1.1.1.1 80
ā07-11-2023 09:18 AM
ā07-11-2023 12:20 PM
When you run packet tracer you should have the traffic flow that you want to test in mind. You can put any port in the source or in the destination, but those ports should match the traffic flow that you are trying to simulate.
ā07-11-2023 01:59 AM
You will not get a time and date on the hitcount unfortunately. So what you could do is clear the counter and let it run a week or two to get an indication of what is being used.
To see which access-list is being used for which interface, if that is what you mean, you can issue the show running-config access-group which will give you the access-list name and the interface it is associated with
ASAt# show running-config access-group
access-group <access-list> in interface <interface name>
ā07-11-2023 08:39 AM
Thanks, and appreciated your answer,
which option will clear heat counter?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide