Access-list searching

tprochazka · ‎06-17-2007

Hi all, I have only small questin. Do anyone of you know the way, how to easy find if communication is allowed or denied by access-list? I cannot try communication, I can only work with lines of access-list in console. Maybe its exist some program or script for searching in access-list. THX for you advice.

anandramapathy · ‎06-18-2007

a) sh access-list (name )

It will show you the hitcount

inet-FW# sh access-list no-nat-dmz

access-list no-nat-dmz; 2 elements

access-list no-nat-dmz line 1 permit ip 10.157.36.0 255.255.255.0 10.0.0.0 255.0

.0.0 (hitcnt=0)

access-list no-nat-dmz line 2 permit icmp 10.100.36.0 255.255.255.0 10.0.0.0 255

.0.0.0 (hitcnt=0)

you can use the Pipe command for specifics such as

show access-list (name ) | include ftp

it will give you all lines containing deny

tprochazka · ‎06-19-2007

Hallo, thank you for your advice, but it will not help me, I know your way how to check access-list, but this way need me to know what line is going about. But my problem is, that I need to add new line and Im not sure if this communication isnt allowed somwhere up in the access-list (maybe with shorter mask, or full IP,...) I think that this need some software or script and Im not able to find something similar anywhere.