Cisco show access-list hits
You can review an access list definition by displaying the firewall configuration with this EXEC command: Firewall# show running-config or Firewall# write term To jump right to the access-list in the configuration, you can use this variation: Firewall# show running-config | begin access-list [acl id] Or to display only the lines of the access-list configuration and nothing else, you can use a further variation: Firewall# show running-config | include access-list [acl id] Beginning with ASA 7.0, you can display an access-list configuration with this command: Firewall# show running-config access-list [acl id] Object groups and access list contents are shown exactly as they were configured. In fact, only the object group references are shown in the ACL configuration; the actual object group definitions are shown in a different point in the configuration. This makes it difficult to review a large access list because you have to refer back and forth between the ACL and any object groups. After an access list has been configured and applied to an interface, you can monitor its use. Use this EXEC command to see a breakdown of ACL contents and activity counters: Firewall# show access-list [acl id] Each line of the ACL is shown, along with a hit counter indicating how many connections or flows (or packets for ICMP) have been matched by that line. This is shown as "(hitcnt=n)" at the end of each ACE. For example, an access list configured to permit inbound HTTP connections to several web servers is shown to have the following contents and hit counters: Code View: Scroll / Show All Firewall# show access-list acl outside access-list acl outside line 1 permit tcp any host 192.168.3.16 eq www (hitcnt=97) _ access-list acl outside line 2 permit tcp any host 192.168.3.19 eq www (hitcnt=69513) access-list acl outside line 3 permit tcp any host 192.168.3.23 eq www (hitcnt=12) _ access-list acl outside line 4 permit tcp any host 192.168.3.231 eq www (hitcnt=82) _ access-list acl outside line 5 permit tcp any host 192.168.3.242 eq www (hitcnt=27) _ From this information, it is clear that host 192.168.3.19 (line 2) is receiving the greatest volume of inbound HTTP connections. Beginning with ASA 7.3(1) and FWSM 3.1, each line of the show access-list command output ends with a unique string of hex numbers. For example, see how the following line ends with 0xa2294c03: Code View: Scroll / Show All access-list acl outside line 5 extended permit tcp any host 192.168.3.242 eq www (hitcnt=27)_0xa2294c03 The hex string listed is the same string that is generated in syslog messages 106023 (deny packet by ACL, default warnings level) and 106100 (deny/permit packet by ACL, default informational level). This does not mean much for human readers, but it gives Adaptive Security Device Manager (ASDM) an easy way to reference syslog messages it collects with the actual ACL lines that generated the messages. Now suppose that an object group has been configured to list the web servers with the following commands: Code View: Scroll / Show All Firewall(config)# object-group network web-servers Firewall(config-network)# network-object host 192.168.3.16 Firewall(config-network)# network-object host 192.168.3.19 Firewall(config-network)# network-object host 192.168.3.23 Firewall(config-network)# network-object host 192.168.3.231 Firewall(config-network)# network-object host 192.168.3.242 Firewall(config-network)# exit Firewall(config)# access-list acl outside permit tcp any object-group webservers eq www Using the show access-list command also expands any object groups that are referenced in an ACL. This allows you to see the actual ACEs that the firewall is evaluating. In this example, the ACL would be expanded as follows: Code View: Scroll / Show All Firewall# show access-list acl outside access-list acl outside line 1 permit tcp any object-group web-servers eq www access-list acl_outside line 1 permit tcp any host 192.168.3.16 eq www (hitcnt=97) _ access-list acl_outside line 1 permit tcp any host 192.168.3.19 eq www (hitcnt=69513) access-list acl_outside line 1 permit tcp any host 192.168.3.23 eq www (hitcnt=12) _ access-list acl_outside line 1 permit tcp any host 192.168.3.231 eq www (hitcnt=82) _ access-list acl outside line 1 permit tcp any host 192.168.3.242 eq www (hitcnt=27) _ Notice that each line of the output is shown as line 1 of the ACL. Although the object group is expanded and evaluated as sequential ACEs, it appears as the one ACE that referenced it. You can reset the hit counters of an ACL by using this command: Firewall# clear access-list acl id counters In releases prior to ASA 7.0, be careful when you use this command—if you omit the counters keyword, the entire ACL named acl_id is removed from the firewall configuration! ASA 7.0 and later, as well as all releases of FWSM, do not allow this command to be executed unless the counters keyword is included, so you are in no danger of deleting any configuration. Continue reading here: Shunning Traffic Was this article helpful? Get full access to Cisco IOS Cookbook, 2nd Edition and 60K+ other titles, with free 10-day trial of O'Reilly. There's also live online events, interactive content, certification prep materials, and more.
You want to know when the router invokes an access-list. Access-lists can generate log messages. The following example allows all packets to pass, and records them: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 150 permit ip any any log Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 150 in Router1(config-if)#exit Router1(config)#end Router1#And in this example, we use the log-input keyword to include additional information about where the packets came from: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#access-list 150 permit tcp any any log-input Router1(config)#access-list 150 permit ip any any Router1(config)#interface Serial0/1 Router1(config-if)#ip access-group 150 in Router1(config-if)#exit Router1(config)#end Router1#The first example uses the log keyword to record a log message every time the ACL makes a match. Here are some log messages generated by this command: Feb 6 13:01:19: %SEC-6-IPACCESSLOGRP: list 150 permitted ospf 10.1.1.1 -> 224.0.0.5, 9 packets Feb 6 13:01:19: %SEC-6-IPACCESSLOGDP: list 150 permitted icmp 10.1.1.1 -> 10.1.1.2 (0/0), 4 packetsYou can also get a breakdown of how many matches each line in the ACL has recorded with the show access-list command: Router1#show access-list 150 Extended IP access list 150 permit ip any any log (15 matches) Router1# ...Get Cisco IOS Cookbook, 2nd Edition now with O’Reilly online learning. O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.
Get Mark Richards’s Software Architecture Patterns ebook to better understand how to design components—and how they should interact. It’s yours, free.Get it now
|