02-22-2012 01:10 PM - edited 03-11-2019 03:33 PM
I am trying to view a specific line count of access lists on the ASA. Current if I run show access-list inside_access_in I can't specify the line I would like to filter on. I'm trying to view all hits on ACE (access list entries) on line 2. So i'm running the command show access-list inside_access_in | grep -v (hitcnt=0). This tells the ASA to show me all ACLs on the ASA with a hitcnt that is not = to 0. That part works fine but I would like to only show the line 2 ACLs instead of everyone of the ACLs on the ASA. Is there a regular expression or something I can do for this?
02-22-2012 02:34 PM
Why not just:
show access-list inside_access_in | grep (line 2)
?
Sure you'll get an output whether or not the hitcnt=0 but is that important?
02-23-2012 11:58 AM
well because line 2 has thousands of actual lines and I don't want to sift through them all. I want to look at all line 2 entries which have a hitcnt(not equal to)0.
02-23-2012 12:29 PM
The only way I can think of getting this information is to do a 'sh access-list inside_access_in | ex hitcnt=0'. This will show you every line where the hitcnt does not equal zero, but if you save the output to a file you can then grab the relevant information you are looking for from that text file.
Matt
02-23-2012 12:32 PM
I don't think you have the flexibility with the limited regex support in the ASA to do the logical AND.
You should be able to capture the lengthy output and then create a script in your external tool of choice to post-process the output winnowing it down to the interesting entries.
02-23-2012 12:34 PM
Yes, I am aware of the command to exlude the hitcnt=0, that is what i'm using currently. I have many lines of ACLs though so the AND operation would be really nice to have.
09-12-2013 04:12 AM
from
https://www.m00nie.com/2011/09/cisco-pipe-options-and-some-regex-examples/
There is no “real” AND function but you can use .* (dot then star) to match everything between two other expressions. below we match acls from 192.168.15-19.x AND that have a hit count of zero..
show access-list | inc 192.168.1[5-9].*cnt=0
05-28-2018 02:48 AM
Hi,
How can i filter specific access list between source IP & destination ip with port no(tcp/udp) using show command.Suppose below is the source & destination.
Source IP is 192.168.1.1
Destination IP is 10.1.1.1
port no. is (tcp 22)
Firewall is between source & destination & firewall rule is already opened between source & destination.How can i check specific access list between source ip & destination IP for port no 22.
04-14-2016 09:04 PM
This should do it
show access-list inside_access_in | i line 2 .*hitcnt=[1-9]
10-12-2016 10:08 AM
Hi
I don't know if you are interested in the ACL as a whole (if say, it concerns a group object for a collection of IPs), or one IP.
If you want one IP then see the below from another post of mine;
As you know the access-list name and the IP you are interested in , you can do this fairly easily;
show access-list acl_name ip_addr
This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.
Hope this helps.
Ian
Obviously you could then also pipe the output to an include|exclude|grep operator, but in the first place you are letting the ASA do a bit of logic to only include entries that are relevant to you.
04-17-2020 10:48 AM
Replying to this as I found it looking for something else and thought this might help others who end up here.
to search for hit counts in the asa (ios 9.10.1)
show access-list | i ^access.*hitcnt=[1-9]
this will give you everything that starts with access and has a hitcnt with any number value. You can play with it to suit your needs. Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide