Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Confirming if access-lists are working!

hi firends,

i had this small query, i am sure it would be fairly simple for anyone using ACL qute often to advise me.

if we have access-list created but not applied to an interface, and do "sho access-lists", it will still show me hit-counts? this is normal right.

the only thing is that rule is not be actioned.

Example below:

Router#sho access-lists

Extended IP access list 101

    10 permit ip 10.0.0.0 0.0.0.255 any

Extended IP access list 150

    10 permit ip host 10.0.0.160 any (4424 matches)

    20 permit ip host 10.0.0.15 any (3635 matches)

    30 permit ip host 10.0.0.11 any (97680 matches)

    40 permit ip host 10.0.0.10 any (2271613 matches)

    50 permit ip host 10.0.0.251 any (1 match)

    60 permit ip host 10.0.0.171 any (174 matches)

    70 permit ip host 10.0.0.124 any (10084 matches)

    80 permit ip host 10.0.0.183 any (5195 matches)

    90 permit ip host 10.0.0.172 any (34856 matches)

    100 permit ip host 10.0.0.186 any (6623 matches)

Pleae correct me if i am wrong.

Thanks!

Regards.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

Confirming if access-lists are working!

counter in bracket means ACL is Hit for sure.

if its not applied at this time, may be earlier it was applied, Hit counter will remain unless you reboot the firewall or delete/create ACL again.

Confirming if access-lists are working!

I agree with Ahmad-

You should check if these counters are incresing as i said should not increase if not appilied to interface.

5 REPLIES

Confirming if access-lists are working!

If ACL is not applied to interface it wont increase hit counts.

Community Member

Re: Confirming if access-lists are working!

Hi ajay

So the matches in the bracket in the output above would mean hits right?

Sent from Cisco Technical Support iPhone App

Community Member

Confirming if access-lists are working!

counter in bracket means ACL is Hit for sure.

if its not applied at this time, may be earlier it was applied, Hit counter will remain unless you reboot the firewall or delete/create ACL again.

Confirming if access-lists are working!

I agree with Ahmad-

You should check if these counters are incresing as i said should not increase if not appilied to interface.

Community Member

Re: Confirming if access-lists are working!

Thanks guys, it was indeed a good help. There was no access-list applied to any interface, it was just used for NAT. Stupid me i didnt notice that.

Cheers!

297
Views
0
Helpful
5
Replies
CreatePlease to create content