I am setting up specific access-list statements on my PIX 525 (ver 6.1(1)) and I am using the "sh access-list" command to see all of the access-list statements that are being matched by the PIX, by looking at the (hitcnt=xx) value.
I would like to know how to zero the hitcnt shown when you type "sh access-list". I am locking down the firewall to specific source / destination / ports used by trying to apply progressive access-list staements, and I need to make sure that the correct access-lists are being used through the PIX. The best way I can see to do this is by zeroing and watching the (hitcnt=xx) values increase on the statements (or seeing which ones are actually being used).
I think the command I should use is "clear access-list". However, I have searched through Cisco's website and the only information I can find warns that using the "clear access-list" stops all traffic through the PIX - something I do not want to do (I am more used to clearing router counters with no problems)!
Can anyone help with my request or is there another way to see which access-list statements are being used (by allowing me to clear these counters transparently and not stopping user access at the same time)?
That'll zero out the values listed next to the access-list entries that you're talking about. This won't affect any of the traffic going through the router, or any other settings. It just zeros the counters.
You could try creating a duplicate access-list, with a different name and then applying that access-group to the interface, and then reapply the original access-group. I'm not positive about the PIX, but this works on IOS firewall.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :