Unanswered Question
Sep 13th, 2007


Basically, there would be "access-group" under which there would be multiple "rules" listed. This "access-group" would be then applied on desired interface.

When some transactions matching them generated a message is logged with the "access-group" (ex: PIX-4-106023).

Is it possible to get the exact rule within the "access-group" that matched ? If so do let me know.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
micheljoh Thu, 09/13/2007 - 22:17


Well hum

you have an access-list specified on the access-group


access-list Web-Trafic permit tcp any any eq 80

and then an access-group applied to you interface:

access-group Web-Trafic in interface outside

if you need to know what hit the "access-group" look at the access-list by:

sh access-list Web-Trafic

you would get something like:

access-list Web-Trafic; 1 element

access-list Web-Trafic line 1 extended permit tcp any any eq 80 (hitcnt=11)

this would meed 11 hits on that access-list wich is applied to the access-group.

Regards//Michel Thu, 09/13/2007 - 23:54

Hi Michel,

Appreciate your reply. Your suggestion would get the total hits for the rule defined with-in the group.

Consider the below case (some sample rules),

access-list outside_access_in; 2 elements

access-list outside_access_in line 1 permit tcp x.x.x.x any (hitcnt=0)

access-list outside_access_in line 2 deny tcp any any eq FTP (hitcnt=0)

Now, assume we have a transaction matching rule 2. I would love to see the exact rule along with Source-Destination combination in the logs. Like connection from source X to destination Y was dropped as rule "outside_access_in line 2" doesn't permit.

Is this possible ? Pix is giving the group name & not the exact rule within it. Hope i am clear with my requirement :-( .



micheljoh Fri, 09/14/2007 - 00:35


Well if i do understand you correctly what you could do is put a log level at the end of the second rule


access-list outside_access_in line 2 deny tcp any any eq FTP log errors

and then logg for example to to buffer:

conf example:

logging on

logging buffered errors

if you whant a larger buffer use:

loggin buffered-size ?

Although using this will only hit on sources going to ftp not being sourced from your x.x.x.x network

since ftp from that network is being allowed on line 1

You can also use the logg message id and logg that to either syslog or buffer



This Discussion