Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1180
Views
9
Helpful
20
Replies

CISCO ASA 5525

Go to solution
ddesai
Level 1
Level 1

‎07-10-2023 12:05 PM

How will I verify that which policy is currently active for incoming traffic received from Dmz ?

I will need to move internal traffic which is coming from Dmz to another firewall.

 

Please advice 

 

7 Accepted Solutions

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎07-10-2023 12:13 PM

best way is using packet tracer 

see traffic which ACL hitting.

View solution in original post

Go to solution
Marius Gunnerud
VIP
VIP

‎07-10-2023 02:28 PM

you can see which rules are being hit in the access-list using either ASDM where you will see the hit count on the right of each rule, or using show access-list <access-list name> which will also show you a hit count for each rule.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Go to solution
Aref Alsouqi
VIP
VIP

‎07-10-2023 11:58 PM

DMZ interfaces are usually set at 50 security level, but they could be with any security level between 0 and 100. If you do "sh nameif" you should see the interfaces names as well as their security levels. From there take the interfaces names that are configured with a security level between 0 and 100 and run some packet capture on them while you are generating some traffic and check if you get any output. You can run packet capture with the command "cap < name > interface < the interface name > match ip host < source IP > host < destination IP >. Regarding the ACL hits, they won't give any details about the date/time, if you want to get those details you would need to add "log" keyword at the end of the interested ACL entries and then look at the firewall logs, but it is not recommended as it would consume more resources on the device.

View solution in original post

Go to solution
Marius Gunnerud
VIP
VIP
In response to ddesai

‎07-11-2023 01:59 AM

You will not get a time and date on the hitcount unfortunately. So what you could do is clear the counter and let it run a week or two to get an indication of what is being used.

To see which access-list is being used for which interface, if that is what you mean, you can issue the show running-config access-group which will give you the access-list name and the interface it is associated with

ASAt# show running-config access-group
access-group <access-list> in interface <interface name>

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Go to solution
ddesai
Level 1
Level 1
In response to Marius Gunnerud

‎07-11-2023 08:39 AM

Thanks, and appreciated your answer, 

which option will clear heat counter?

View solution in original post

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to ddesai

‎07-11-2023 11:58 AM

You can use the command "clear access-list < the access list name > counters".

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎07-12-2023 02:21 AM

To clear the hit count in ASDM just right click the "Clear Hits" button in the toolbar above the search field.  Or you can right click the specific rule you want to clear hits for and select "Clear Hits"

As for packet tracer, as mentioned by others here, you need to know what traffic you are trying to test and which interface this traffic will enter the ASA on from the source perspective.  Usually the source port will be a random high port (I normally use port 12345) but you could actually use any port low or high as source.  

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

20 Replies 20

Go to solution
MHM Cisco World
VIP
VIP

‎07-10-2023 12:13 PM

best way is using packet tracer 

see traffic which ACL hitting.

Go to solution
ddesai
Level 1
Level 1
In response to MHM Cisco World

‎07-10-2023 03:51 PM - edited ‎07-10-2023 03:52 PM

in Packet tracer which port mention as source  port  ? 

destination port details i found from policy

0 Helpful

Go to solution
ddesai
Level 1
Level 1

‎07-10-2023 12:17 PM

Thanks for the update.

Can we check with heat count?

Can we check from any logs ?

Do I need to download packet tracert or is it inbuild in cisco ASA

 I never use CISCO ASA so please guide me step by step that will be great help.

few applications pending to move from cisco ASA to new firewall so I am looking for which application still running in CISCO ASA

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎07-10-2023 02:28 PM

you can see which rules are being hit in the access-list using either ASDM where you will see the hit count on the right of each rule, or using show access-list <access-list name> which will also show you a hit count for each rule.

--
Please remember to select a correct answer and rate helpful posts

Go to solution
ddesai
Level 1
Level 1
In response to Marius Gunnerud

‎07-10-2023 03:54 PM

Can i get heat count latest date and time stamp to know when policy used last date and time?

0 Helpful

Go to solution
ddesai
Level 1
Level 1
In response to Marius Gunnerud

‎07-10-2023 04:06 PM

How i can find out interal traffic to DMZ policy details from cisco asa 5525 ?>

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ddesai

‎07-11-2023 01:49 AM

again use packet tracer, 
packet tracer input DMZ <subet in DMZ you want to check><subet in INside or OUTside> detail 
this will give you exactly 
1- NATing using 
2- ACL using (INbound and OUTbound)

Go to solution
ddesai
Level 1
Level 1
In response to MHM Cisco World

‎07-11-2023 08:43 AM

Thanks, and appreciated your update but when i open packet tracer in firewall policy i could not find source port details rest of things i can find out so what port mention as a source port.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to ddesai

‎07-11-2023 08:55 AM

You can use as port 

12345 <<- randomly port number 

Or 

Specific port number  if you want to check server.

For example 

Packet tracer input DMZ tcp 1.1.1.1 80 2.2.2.2 12345 

Or 

Packet tracer input OUTside tcp 2.2.2.2 12345 1.1.1.1 80

0 Helpful

Go to solution
ddesai
Level 1
Level 1
In response to MHM Cisco World

‎07-11-2023 09:18 AM

If I am adding source port as a random than it give me error.

Can I add for all in pakcet tracer souce port 80 or https ?

Destination port I have mentioned as per Cisco policy.

Go to solution
Aref Alsouqi
VIP
VIP
In response to ddesai

‎07-11-2023 12:20 PM

When you run packet tracer you should have the traffic flow that you want to test in mind. You can put any port in the source or in the destination, but those ports should match the traffic flow that you are trying to simulate.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to ddesai

‎07-11-2023 01:59 AM

You will not get a time and date on the hitcount unfortunately. So what you could do is clear the counter and let it run a week or two to get an indication of what is being used.

To see which access-list is being used for which interface, if that is what you mean, you can issue the show running-config access-group which will give you the access-list name and the interface it is associated with

ASAt# show running-config access-group
access-group <access-list> in interface <interface name>

--
Please remember to select a correct answer and rate helpful posts

Go to solution
ddesai
Level 1
Level 1
In response to Marius Gunnerud

‎07-11-2023 08:39 AM

Thanks, and appreciated your answer, 

which option will clear heat counter?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card