Matches on ACL

k.kyriacou · ‎04-21-2006

Can somebody explain why some rules have the amount of matches next to it when you do a show acl command on CISCO 3845 ASA and on some, for instance, the allow http traffic command shows none.

here's an example;

2260 permit tcp host 10.220.*.* host 10.220.*.* eq **** (497 matches)

1780 permit tcp 10.220.*.* 0.0.7.255 any eq www

Notice the www rule has no matches next to it?

I want to figure out which rules are not in use as the ACL is becoming too large.

mheusinger · ‎04-21-2006

This usually means, that there were no packets matching this entry. This means either that there is no matching line in the ACL or another line, which matches traffic including WWW traffic.

F.e. in an ACL

access-list 100 permit ip any any

access-list 100 permit tcp any any eq www

the second line will never get any matches, because the first line matches also all tcp traffic.

So in case you get no matches on an ACL statement you might be able to remove it without loosing anything.

Another point to consider is the direction an ACL is applied. Assume you have a Web server and apply an ACL outgoing towards internet.

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any eq www any

Here the first line will not get matches, because the web-server will answer user requests from the internet, i.e. towards the internet port 80 is found as source port.

Hope this helps! Please rate all posts.

Regards, Martin

haithamnofal · ‎04-22-2006

Hi Martin,

You mean in your post that the second line "access-list 101 permit tcp any eq www any" wont get any hits because the source is always random and the destination should be port 80, right?

Thanks,

Haitham

k.kyriacou · ‎04-24-2006

Thx Martin,

Thats cleared it uo for me.