Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
749
Views
0
Helpful
5
Replies

zeroing access-list (hitcnt=xx)

neil.barrett
Level 1
Level 1

‎03-12-2002 02:48 AM - edited ‎02-20-2020 09:16 PM

I am setting up specific access-list statements on my PIX 525 (ver 6.1(1)) and I am using the "sh access-list" command to see all of the access-list statements that are being matched by the PIX, by looking at the (hitcnt=xx) value.

I would like to know how to zero the hitcnt shown when you type "sh access-list". I am locking down the firewall to specific source / destination / ports used by trying to apply progressive access-list staements, and I need to make sure that the correct access-lists are being used through the PIX. The best way I can see to do this is by zeroing and watching the (hitcnt=xx) values increase on the statements (or seeing which ones are actually being used).

I think the command I should use is "clear access-list". However, I have searched through Cisco's website and the only information I can find warns that using the "clear access-list" stops all traffic through the PIX - something I do not want to do (I am more used to clearing router counters with no problems)!

Can anyone help with my request or is there another way to see which access-list statements are being used (by allowing me to clear these counters transparently and not stopping user access at the same time)?

Many thanks in advance,

Regards,

Neil.

Labels:
0 Helpful
5 Replies 5

4s.welch
Level 1
Level 1

‎03-13-2002 05:25 PM

Use the command:

clear access-list counters

That'll zero out the values listed next to the access-list entries that you're talking about. This won't affect any of the traffic going through the router, or any other settings. It just zeros the counters.

0 Helpful

neil.barrett
Level 1
Level 1
In response to 4s.welch

‎03-14-2002 12:09 AM

Unfortunately I have just tried that and the response is:

"pix1(config)# clear access-list counters

ERROR: access-list does not exist"

indicating that it is trying to clear the access-list called "counters" rather than the counters themselves.

Has anyone else attempted this? I am sure there must be a way.....

Thanks,

Neil.

0 Helpful

gspencer
Level 1
Level 1
In response to neil.barrett

‎04-16-2002 11:44 AM

The only way I know is to remove that access-list statement and reapply it. when you issue the show access-list it will hitcount will be 0.

This is not suitable for production because it will temporarily block traffic.

Hope this helps.

0 Helpful

c-dudley
Level 1
Level 1

‎04-16-2002 01:24 PM

You could try creating a duplicate access-list, with a different name and then applying that access-group to the interface, and then reapply the original access-group. I'm not positive about the PIX, but this works on IOS firewall.

Chris

0 Helpful

aneadmin
Level 1
Level 1

‎04-17-2002 03:06 AM

I am also looking at the same problem, but the difference is i am still using the conduits - I want to clear the hitcount=xx values

Thanks !

Regards

Fiyaz

0 Helpful
Customers Also Viewed These Support Documents