Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Manage PIX ACLs ?

Hello all,

i have a lot of rule on my V7.0 PIX and i want to know if there is a way to find an used rules in order to reduce the number of rules or maybe to know last time rules have been used or matched ?

Thank you

5 REPLIES
Hall of Fame Super Blue

Re: Manage PIX ACLs ?

Hi

If you do a "sh access-list" from enable mode you should see the hit count at the end of the line eg:

access-list from_prod1 line 1 permit tcp object-group prod_machines host 10.228.56.2 eq telnet

access-list from_prod1 line 1 permit tcp host 10.228.51.51 host 10.228.56.2 eq telnet (hitcnt=12)

access-list from_prod1 line 1 permit tcp host 10.230.24.77 host 10.228.56.2 eq telnet (hitcnt=0)

access-list from_prod1 line 1 permit tcp host 10.181.66.12 host 10.228.56.2 eq telnet (hitcnt=0)

access-list from_prod1 line 1 permit tcp host 10.228.50.95 host 10.228.56.2 eq telnet (hitcnt=0)

access-list from_prod1 line 2 permit tcp object-group prod_machines host 10.228.56.3 eq telnet

So only the first line in the above access-list has any hits.

You can reset the counters by using the

"clear access-list counters"

HTH

Jon

New Member

Re: Manage PIX ACLs ?

Thanks for your help, just another question, do you know if it's possible to transform names in the configuration to ip addresses, i don't remember how to do it it's just be sure of the ip addresses when i use "sh access-list"

thanks

Hall of Fame Super Blue

Re: Manage PIX ACLs ?

Hi

If i understand correctly i'm not sure you can do this. You can do a "sh names" and then cross reference with the access-list but i don't know of a way to transpose the ip address instead of the name in a "sh access-list"

Hope i haven't misunderstood.

Jon

Re: Manage PIX ACLs ?

There should be an entry in your configureation

"names"

if you run the command

"no names"

then all address to name translations will be turned off. This will *not* remove the name entries so you can turn it back on again without a problem.

** Please rate posts if helpful **

New Member

Re: Manage PIX ACLs ?

This might be more useful if you do a `sh access-list | i hitcnt=0'.

That way you can sort out the rules that haven't received any hits over a certain time fram.

139
Views
8
Helpful
5
Replies
CreatePlease to create content