Access-list searching

Unanswered Question
Jun 17th, 2007

Hi all, I have only small questin. Do anyone of you know the way, how to easy find if communication is allowed or denied by access-list? I cannot try communication, I can only work with lines of access-list in console. Maybe its exist some program or script for searching in access-list. THX for you advice.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
anandramapathy Mon, 06/18/2007 - 03:42

a) sh access-list (name )

It will show you the hitcount

inet-FW# sh access-list no-nat-dmz

access-list no-nat-dmz; 2 elements

access-list no-nat-dmz line 1 permit ip 10.157.36.0 255.255.255.0 10.0.0.0 255.0

.0.0 (hitcnt=0)

access-list no-nat-dmz line 2 permit icmp 10.100.36.0 255.255.255.0 10.0.0.0 255

.0.0.0 (hitcnt=0)

you can use the Pipe command for specifics such as

show access-list (name ) | include ftp

it will give you all lines containing deny

tprochazka Tue, 06/19/2007 - 04:51

Hallo, thank you for your advice, but it will not help me, I know your way how to check access-list, but this way need me to know what line is going about. But my problem is, that I need to add new line and Im not sure if this communication isnt allowed somwhere up in the access-list (maybe with shorter mask, or full IP,...) I think that this need some software or script and Im not able to find something similar anywhere.

Actions

This Discussion