Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA ACL Questions

Hello everyone-

I have an ASA-5585-SSP-10 that I have subinterfaces and VLANs created on. I used this ASA to firewall the vlans downstream on our Catalyst 4k's. Most all of my interfaces have specific ACLs in for the necessary traffic and all is good. I have a couple interfaces that have an IP any-any in and I would like to remove the any-any, but do not want to do so immediately, as the ACL has thousands of hits. I have cleared the ACL hit counter, but would like to know how I determine what traffic (source, dest, etc) is hitting the any-any so I can build specific ACLs to match, and ultimately remove the any-any. I have reviewed the log for a specific any-any, but this has not turned out to be helpful. Can anyone give me some help?

Thank you-


Super Bronze

ASA ACL Questions


I would suggest considering adding a "log" keyword to the "permit ip any any" rule you have and setting the logging level you want.

Here is the explanation of the "log" parameter at the end of "access-list" command


(Optional) Sets logging options when a ACE matches a packet for network access (an ACL applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at  the default level (6) and for the default interval (300 seconds). If you  do not enter the log keyword, then the default system log message 106023 is generated.

I guess you might have to play around with the "interval" value perhaps.

Source from Command Reference:

To my understanding if you have a "permit" line in the ACL then usually no log messages are generated at all for traffic/connections matching these rules. The "deny" rules however generate Notifications level messages.

Since using the "log" parameter at the end of this "permit ip any any" rule will generate Syslog messages with a specific Syslog ID mentioned above, you could only have this "log" enabled on that single ACL and single rule of that ACL and log messages to a Syslog server.

You could then later gather the information and filter/parse the mentioned Syslog ID messages from that log. You could then further parse that log for the things that need to stay open and require their own rules.

Naturally there is probably tools that would also handle this but I havent had the change to work with any

I am wondering if any of the allowed traffic is outbound to Internet? I'd imagine this might cause problems to go through. Then again this kind of traffic could be allowed perhaps "permit tcp any any eq " to allow the basic services outbound.

Hope this helps

- Jouni

Community Member

ASA ACL Questions


How would you recommend I allow Intenet access outbound using ACLs in the ASA, without the any-any. We do not proxy to our web filter appliance, we have a Juniper firewall (external) which redirects 80 and 443 traffic to the web filter, it then send Internet traffic out.


CreatePlease to create content