Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Inactive ACLs in PIX/ASA

Hi Everyone,

I have 30 Cisco PIX and ASA firewalls. Each Interface has ACLs applied with hundreds of Access Control entries.

I would like to know which ACE are inactive for let say last thirty days and should be removed. Any help?

Additionally Any automated tool for that which can do this job and report which ACE are lying in configuration and not getting any hits and should be removed.

Thanks.

3 REPLIES

Re: Inactive ACLs in PIX/ASA

The only way I know of (and have done) is to clear the ACL counters, wait 30 days, and remove the ones with no hit counts.

New Member

Re: Inactive ACLs in PIX/ASA

Thanks. Any direction on software/tool to examines thousands of ACE on PIX/ASA Firewall?

Re: Inactive ACLs in PIX/ASA

We've only looked at one and it was too expensive.

http://www.skyboxsecurity.com/?CategoryID=163

A google search of "Firewall rule audit" comes up with a few more links.

154
Views
3
Helpful
3
Replies
CreatePlease to create content