Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
8
Helpful
5
Replies

Manage PIX ACLs ?

yann.boulet
Level 1
Level 1

‎05-10-2007 12:25 AM - edited ‎03-11-2019 03:11 AM

Hello all,

i have a lot of rule on my V7.0 PIX and i want to know if there is a way to find an used rules in order to reduce the number of rules or maybe to know last time rules have been used or matched ?

Thank you

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎05-10-2007 01:47 AM

Hi

If you do a "sh access-list" from enable mode you should see the hit count at the end of the line eg:

access-list from_prod1 line 1 permit tcp object-group prod_machines host 10.228.56.2 eq telnet

access-list from_prod1 line 1 permit tcp host 10.228.51.51 host 10.228.56.2 eq telnet (hitcnt=12)

access-list from_prod1 line 1 permit tcp host 10.230.24.77 host 10.228.56.2 eq telnet (hitcnt=0)

access-list from_prod1 line 1 permit tcp host 10.181.66.12 host 10.228.56.2 eq telnet (hitcnt=0)

access-list from_prod1 line 1 permit tcp host 10.228.50.95 host 10.228.56.2 eq telnet (hitcnt=0)

access-list from_prod1 line 2 permit tcp object-group prod_machines host 10.228.56.3 eq telnet

So only the first line in the above access-list has any hits.

You can reset the counters by using the

"clear access-list counters"

HTH

Jon

yann.boulet
Level 1
Level 1
In response to Jon Marshall

‎05-10-2007 03:33 AM

Thanks for your help, just another question, do you know if it's possible to transform names in the configuration to ip addresses, i don't remember how to do it it's just be sure of the ip addresses when i use "sh access-list"

thanks

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to yann.boulet

‎05-10-2007 03:40 AM

Hi

If i understand correctly i'm not sure you can do this. You can do a "sh names" and then cross reference with the access-list but i don't know of a way to transpose the ip address instead of the name in a "sh access-list"

Hope i haven't misunderstood.

Jon

0 Helpful

mark.j.hodge
Level 3
Level 3
In response to Jon Marshall

‎05-10-2007 04:17 AM

There should be an entry in your configureation

"names"

if you run the command

"no names"

then all address to name translations will be turned off. This will *not* remove the name entries so you can turn it back on again without a problem.

** Please rate posts if helpful **

laurent.geyer
Level 1
Level 1
In response to Jon Marshall

‎05-10-2007 06:45 AM

This might be more useful if you do a `sh access-list | i hitcnt=0'.

That way you can sort out the rules that haven't received any hits over a certain time fram.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card