Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

what is cisco pix_access_list_elements

Hi,

I have a pix-515e firewall with 7(0)x verion of image. when i issue sh run, i cud see 1000 lines of acls, and when i issue show access-list i could see that there are 30000 access list elements.
what is the diff between access list elements and acl lines ?
how to reduce the acl elements ?

thanks,
rajesh

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

what is cisco pix_access_list_elements

Hi,

I imagine that you have ACL configuration that utilizes "object-group" in the configuration. This essentially means that you ACL configuration is shorter than the actual full ACL that the ASA uses.

Take for example these 2 configurations

Example 1

access-list TEST-1 permit ip any any

ASA(config)# sh access-list TEST-1

access-list TEST-1; 1 elements; name hash: 0x5f8608f2

access-list TEST-1 line 1 extended permit ip any any (hitcnt=0) 0xa45bef40

As you can see from the above we only have a single configuration line. As it doesnt have any "object-group" used for either services or IP address/networks it means that it only contains this single rule. So there is only a single "element"

Example 2

object-group network TEST

network-object host 1.1.1.1

network-object host 1.1.1.2

network-object host 1.1.1.3

network-object host 1.1.1.4

access-list TEST-2 permit ip any object-group TEST

ASA(config)# sh access-list TEST-2

access-list TEST-2; 4 elements; name hash: 0xc7ff2230

access-list TEST-2 line 1 extended permit ip any object-group TEST 0xabbab304

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x8af4a0e1

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xbd31ccb2

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x32e99e16

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.4 (hitcnt=0) 0xcb4432ae

As you can see from the above example we first create an "object-group" that contains 4 IP addresses and then we use this "object-group" as the destination address of the single ACL configuration line. This means the actual rule is that we permit traffic to all 4 of these destination IP addresses in the configuration and therefore it has 4 "elements"

So you ACL configuration might include large amounts of "object-group" used. You would have to see if all of them are needed. For example if you use "object-group service" type of "object-group" in your configuratins with several ports defined then this will easily generate a lot of extra ACL "elements"

Hope this helps

- Jouni

2 REPLIES
Super Bronze

what is cisco pix_access_list_elements

Hi,

I imagine that you have ACL configuration that utilizes "object-group" in the configuration. This essentially means that you ACL configuration is shorter than the actual full ACL that the ASA uses.

Take for example these 2 configurations

Example 1

access-list TEST-1 permit ip any any

ASA(config)# sh access-list TEST-1

access-list TEST-1; 1 elements; name hash: 0x5f8608f2

access-list TEST-1 line 1 extended permit ip any any (hitcnt=0) 0xa45bef40

As you can see from the above we only have a single configuration line. As it doesnt have any "object-group" used for either services or IP address/networks it means that it only contains this single rule. So there is only a single "element"

Example 2

object-group network TEST

network-object host 1.1.1.1

network-object host 1.1.1.2

network-object host 1.1.1.3

network-object host 1.1.1.4

access-list TEST-2 permit ip any object-group TEST

ASA(config)# sh access-list TEST-2

access-list TEST-2; 4 elements; name hash: 0xc7ff2230

access-list TEST-2 line 1 extended permit ip any object-group TEST 0xabbab304

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.1 (hitcnt=0) 0x8af4a0e1

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.2 (hitcnt=0) 0xbd31ccb2

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.3 (hitcnt=0) 0x32e99e16

  access-list TEST-2 line 1 extended permit ip any host 1.1.1.4 (hitcnt=0) 0xcb4432ae

As you can see from the above example we first create an "object-group" that contains 4 IP addresses and then we use this "object-group" as the destination address of the single ACL configuration line. This means the actual rule is that we permit traffic to all 4 of these destination IP addresses in the configuration and therefore it has 4 "elements"

So you ACL configuration might include large amounts of "object-group" used. You would have to see if all of them are needed. For example if you use "object-group service" type of "object-group" in your configuratins with several ports defined then this will easily generate a lot of extra ACL "elements"

Hope this helps

- Jouni

New Member

what is cisco pix_access_list_elements

Thanks Jouni. You are right. I had confirmed the same with Cisco Tac yesterday.

Well anyway to optimize ACL lookup in PIX 7(0) versions.

120
Views
0
Helpful
2
Replies