Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
823
Views
0
Helpful
2
Replies

what is cisco pix_access_list_elements

Go to solution
secureIT
Level 4
Level 4

‎02-05-2014 01:04 AM - edited ‎03-11-2019 08:40 PM

Hi,

I have a pix-515e firewall with 7(0)x verion of image. when i issue sh run, i cud see 1000 lines of acls, and when i issue show access-list i could see that there are 30000 access list elements.
what is the diff between access list elements and acl lines ?
how to reduce the acl elements ?

thanks,
rajesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-05-2014 06:40 AM

Hi,

I imagine that you have ACL configuration that utilizes "object-group" in the configuration. This essentially means that you ACL configuration is shorter than the actual full ACL that the ASA uses.

Take for example these 2 configurations

Example 1

access-list TEST-1 permit ip any any

ASA(config)# sh access-list TEST-1

access-list TEST-1; 1 elements; name hash: 0x5f8608f2

access-list TEST-1 line 1 extended permit ip any any (hitcnt=0) 0xa45bef40

As you can see from the above we only have a single configuration line. As it doesnt have any "object-group" used for either services or IP address/networks it means that it only contains this single rule. So there is only a single "element"

Example 2

object-group network TEST

network-object host 1.1.1.1

network-object host 1.1.1.2

network-object host 1.1.1.3

network-object host 1.1.1.4

access-list TEST-2 permit ip any object-group TEST

ASA(config)# sh access-list TEST-2

access-list TEST-2; 4 elements; name hash: 0xc7ff2230

access-list TEST-2 line 1 extended permit ip any object-group TEST 0xabbab304

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x8af4a0e1

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xbd31ccb2

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x32e99e16

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.4 (hitcnt=0) 0xcb4432ae

As you can see from the above example we first create an "object-group" that contains 4 IP addresses and then we use this "object-group" as the destination address of the single ACL configuration line. This means the actual rule is that we permit traffic to all 4 of these destination IP addresses in the configuration and therefore it has 4 "elements"

So you ACL configuration might include large amounts of "object-group" used. You would have to see if all of them are needed. For example if you use "object-group service" type of "object-group" in your configuratins with several ports defined then this will easily generate a lot of extra ACL "elements"

Hope this helps

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-05-2014 06:40 AM

Hi,

I imagine that you have ACL configuration that utilizes "object-group" in the configuration. This essentially means that you ACL configuration is shorter than the actual full ACL that the ASA uses.

Take for example these 2 configurations

Example 1

access-list TEST-1 permit ip any any

ASA(config)# sh access-list TEST-1

access-list TEST-1; 1 elements; name hash: 0x5f8608f2

access-list TEST-1 line 1 extended permit ip any any (hitcnt=0) 0xa45bef40

As you can see from the above we only have a single configuration line. As it doesnt have any "object-group" used for either services or IP address/networks it means that it only contains this single rule. So there is only a single "element"

Example 2

object-group network TEST

network-object host 1.1.1.1

network-object host 1.1.1.2

network-object host 1.1.1.3

network-object host 1.1.1.4

access-list TEST-2 permit ip any object-group TEST

ASA(config)# sh access-list TEST-2

access-list TEST-2; 4 elements; name hash: 0xc7ff2230

access-list TEST-2 line 1 extended permit ip any object-group TEST 0xabbab304

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x8af4a0e1

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xbd31ccb2

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x32e99e16

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.4 (hitcnt=0) 0xcb4432ae

As you can see from the above example we first create an "object-group" that contains 4 IP addresses and then we use this "object-group" as the destination address of the single ACL configuration line. This means the actual rule is that we permit traffic to all 4 of these destination IP addresses in the configuration and therefore it has 4 "elements"

So you ACL configuration might include large amounts of "object-group" used. You would have to see if all of them are needed. For example if you use "object-group service" type of "object-group" in your configuratins with several ports defined then this will easily generate a lot of extra ACL "elements"

Hope this helps

- Jouni

0 Helpful

Go to solution
secureIT
Level 4
Level 4
In response to Jouni Forss

‎02-06-2014 06:09 AM

Thanks Jouni. You are right. I had confirmed the same with Cisco Tac yesterday.

Well anyway to optimize ACL lookup in PIX 7(0) versions.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card