Inactive ACLs in PIX/ASA

Unanswered Question
Mar 25th, 2009

Hi Everyone,

I have 30 Cisco PIX and ASA firewalls. Each Interface has ACLs applied with hundreds of Access Control entries.

I would like to know which ACE are inactive for let say last thirty days and should be removed. Any help?

Additionally Any automated tool for that which can do this job and report which ACE are lying in configuration and not getting any hits and should be removed.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Collin Clark Thu, 03/26/2009 - 07:26

The only way I know of (and have done) is to clear the ACL counters, wait 30 days, and remove the ones with no hit counts.

kotrade Thu, 03/26/2009 - 08:08

Thanks. Any direction on software/tool to examines thousands of ACE on PIX/ASA Firewall?


This Discussion