03-12-2002 02:48 AM - edited 02-20-2020 09:16 PM
I am setting up specific access-list statements on my PIX 525 (ver 6.1(1)) and I am using the "sh access-list" command to see all of the access-list statements that are being matched by the PIX, by looking at the (hitcnt=xx) value.
I would like to know how to zero the hitcnt shown when you type "sh access-list". I am locking down the firewall to specific source / destination / ports used by trying to apply progressive access-list staements, and I need to make sure that the correct access-lists are being used through the PIX. The best way I can see to do this is by zeroing and watching the (hitcnt=xx) values increase on the statements (or seeing which ones are actually being used).
I think the command I should use is "clear access-list". However, I have searched through Cisco's website and the only information I can find warns that using the "clear access-list" stops all traffic through the PIX - something I do not want to do (I am more used to clearing router counters with no problems)!
Can anyone help with my request or is there another way to see which access-list statements are being used (by allowing me to clear these counters transparently and not stopping user access at the same time)?
Many thanks in advance,
Regards,
Neil.
03-13-2002 05:25 PM
Use the command:
clear access-list counters
That'll zero out the values listed next to the access-list entries that you're talking about. This won't affect any of the traffic going through the router, or any other settings. It just zeros the counters.
03-14-2002 12:09 AM
Unfortunately I have just tried that and the response is:
"pix1(config)# clear access-list counters
ERROR: access-list
indicating that it is trying to clear the access-list called "counters" rather than the counters themselves.
Has anyone else attempted this? I am sure there must be a way.....
Thanks,
Neil.
04-16-2002 11:44 AM
The only way I know is to remove that access-list statement and reapply it. when you issue the show access-list it will hitcount will be 0.
This is not suitable for production because it will temporarily block traffic.
Hope this helps.
04-16-2002 01:24 PM
You could try creating a duplicate access-list, with a different name and then applying that access-group to the interface, and then reapply the original access-group. I'm not positive about the PIX, but this works on IOS firewall.
Chris
04-17-2002 03:06 AM
I am also looking at the same problem, but the difference is i am still using the conduits - I want to clear the hitcount=xx values
Thanks !
Regards
Fiyaz
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide