Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Show access-list help on ASA

I am trying to view a specific line count of access lists on the ASA. Current if I run show access-list inside_access_in I can't specify the line I would like to filter on. I'm trying to view all hits on ACE (access list entries) on line 2. So i'm running the command show access-list inside_access_in | grep -v (hitcnt=0). This tells the ASA to show me all ACLs on the ASA with a hitcnt that is not = to 0. That part works fine but I would like to only show the line 2 ACLs instead of everyone of the ACLs on the ASA. Is there a regular expression or something I can do for this?

Everyone's tags (5)
8 REPLIES
Hall of Fame Super Silver

Show access-list help on ASA

Why not just:

     show access-list inside_access_in | grep (line 2)

?

Sure you'll get an output whether or not the hitcnt=0 but is that important?

New Member

Show access-list help on ASA

well because line 2 has thousands of actual lines and I don't want to sift through them all. I want to look at all line 2 entries which have a hitcnt(not equal to)0.

New Member

Show access-list help on ASA

The only way I can think of getting this information is to do a 'sh access-list inside_access_in | ex hitcnt=0'.  This will show you every line where the hitcnt does not equal zero, but if you save the output to a file you can then grab the relevant information you are looking for from that text file.

Matt

Hall of Fame Super Silver

Show access-list help on ASA

I don't think you have the flexibility with the limited regex support in the ASA to do the logical AND.

You should be able to capture the lengthy output and then create a script in your external tool of choice to post-process the output winnowing it down to the interesting entries.

New Member

Show access-list help on ASA

Yes, I am aware of the command to exlude the hitcnt=0, that is what i'm using currently. I have many lines of ACLs though so the AND operation would be really nice to have.

New Member

Show access-list help on ASA

from

https://www.m00nie.com/2011/09/cisco-pipe-options-and-some-regex-examples/

There is no “real” AND function but you can use .* (dot then star) to  match everything between two other expressions. below we match acls from  192.168.15-19.x AND that have a hit count of zero..

show access-list | inc 192.168.1[5-9].*cnt=0
New Member

This should do it

This should do it

show access-list inside_access_in | i line 2 .*hitcnt=[1-9]
New Member

Hi

Hi

I don't know if you are interested in the ACL as a whole (if say, it concerns a group object for a collection of IPs), or one IP.

If you want one IP then see the below from another post of mine;

As you know the access-list name and the IP you are interested in , you can do this fairly easily;

show access-list acl_name ip_addr

This will return all specific entries to that individual IP, and entries with 'any', and referring to an object-group containing that IP.

Hope this helps.

Ian

Obviously you could then also pipe the output to an include|exclude|grep operator, but in the first place you are letting the ASA do a bit of logic to only include entries that are relevant to you.

12311
Views
0
Helpful
8
Replies
CreatePlease login to create content