04-21-2006 06:17 AM - edited 02-20-2020 09:36 PM
Can somebody explain why some rules have the amount of matches next to it when you do a show acl command on CISCO 3845 ASA and on some, for instance, the allow http traffic command shows none.
here's an example;
2260 permit tcp host 10.220.*.* host 10.220.*.* eq **** (497 matches)
1780 permit tcp 10.220.*.* 0.0.7.255 any eq www
Notice the www rule has no matches next to it?
I want to figure out which rules are not in use as the ACL is becoming too large.
04-21-2006 07:14 AM
This usually means, that there were no packets matching this entry. This means either that there is no matching line in the ACL or another line, which matches traffic including WWW traffic.
F.e. in an ACL
access-list 100 permit ip any any
access-list 100 permit tcp any any eq www
the second line will never get any matches, because the first line matches also all tcp traffic.
So in case you get no matches on an ACL statement you might be able to remove it without loosing anything.
Another point to consider is the direction an ACL is applied. Assume you have a Web server and apply an ACL outgoing towards internet.
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any eq www any
Here the first line will not get matches, because the web-server will answer user requests from the internet, i.e. towards the internet port 80 is found as source port.
Hope this helps! Please rate all posts.
Regards, Martin
04-22-2006 12:42 PM
Hi Martin,
You mean in your post that the second line "access-list 101 permit tcp any eq www any" wont get any hits because the source is always random and the destination should be port 80, right?
Thanks,
Haitham
04-24-2006 01:22 AM
Thx Martin,
Thats cleared it uo for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide