Cisco ACL question

Hi;
How do we find out if a given ACL statemet in acl set (Cisco) did have had a match in past, that this on running traffic if certain IP Address and port had a match?

Thanks;
totaramAsked:
Who is Participating?
 
JustInCaseCommented:
0
 
JustInCaseCommented:
Depending on how specific ACL is written and are match logged:
show access-list
show access-list [acl-name]
show logg
0
 
totaramAuthor Commented:
Hi Predrag;
I see the extended Access list expand out and I see all the permit stmts on the screen. What I am
looking for is how many hits did a given permit stmt had (say acl 20), in given extended ACL list (ACL-COS-AF4)?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
JustInCaseCommented:
Extended IP access list VTY
    10 deny tcp host 192.168.1.5 any eq 22 (3 matches)
    20 permit tcp host 192.168.1.5 any eq 2022 (114 matches)
0
 
Pete LongTechnical ConsultantCommented:
For a single ACL

show access-list | incl {ACL-Name}
Petes-ASA# show access-list | incl inbound
access-list inbound; 11 elements; name hash: 0x793e9c88
access-list inbound line 1 extended permit tcp any object Obj-Core-SW eq ssh (hitcnt=2110) 0xeec1fa65
  access-list inbound line 1 extended permit tcp any host 192.168.254.1 eq ssh (hitcnt=2110) 0xeec1fa65
access-list inbound line 2 extended permit tcp any object Internal_FTP_Server eq ftp (hitcnt=223) 0x79574bdc
  access-list inbound line 2 extended permit tcp any host 192.168.100.10 eq ftp (hitcnt=223) 0x79574bdc
access-list inbound line 3 extended permit udp any object Internal_TFTP_Server eq tftp (hitcnt=25) 0x1009dc91
  access-list inbound line 3 extended permit udp any host 192.168.100.10 eq tftp (hitcnt=25) 0x1009dc91
access-list inbound line 4 extended permit tcp any object Internal_RDP_Server eq 3389 (hitcnt=14) 0x67ea11e1
  access-list inbound line 4 extended permit tcp any host 192.168.100.10 eq 3389 (hitcnt=14) 0x67ea11e1
access-list inbound line 5 extended permit tcp any object Internal_RDP_Client eq 3389 (hitcnt=14) 0xc2b17bd3
  access-list inbound line 5 extended permit tcp any host 192.168.100.77 eq 3389 (hitcnt=14) 0xc2b17bd3
access-list inbound line 6 extended permit tcp any object Internal_HTTP_Server eq www (hitcnt=6932) 0xbea499d4
  access-list inbound line 6 extended permit tcp any host 192.168.100.10 eq www (hitcnt=6932) 0xbea499d4
access-list inbound line 7 extended permit icmp6 any6 any6 echo (hitcnt=6794) 0x092094f3
access-list inbound line 8 extended permit icmp6 any6 any6 echo-reply (hitcnt=0) 0xe9dc8639
access-list inbound line 9 extended permit icmp6 any6 any6 unreachable (hitcnt=241) 0x26b280f9
access-list inbound line 10 extended permit icmp6 any6 any6 time-exceeded (hitcnt=4) 0x2afaa5ac
access-list inbound line 11 extended permit tcp any object Internal_Mail_Server eq smtp (hitcnt=955) 0xd649a992
  access-list inbound line 11 extended permit tcp any host 192.168.100.19 eq smtp (hitcnt=955) 0xd649a992

Open in new window


For a single ACE

show access-list | incl line {ACE-Line-number}
Petes-ASA# show access-list | incl line 6
access-list inbound line 6 extended permit tcp any object Internal_HTTP_Server eq www (hitcnt=6932) 0xbea499d4
  access-list inbound line 6 extended permit tcp any host 192.168.100.10 eq www (hitcnt=6932) 0xbea499d4

Open in new window



Pete
0
 
totaramAuthor Commented:
Is that the case with Cisco ISR-4K and ASR-1000 series routers too? I heard that they do not report the AC L matches  used by a service policy.
Please confirm.
0
 
JustInCaseCommented:
Typically, they do not match ACL for service policy on all IOS versions.
0
 
totaramAuthor Commented:
So, Predrag
how do we know if we have  a match or not for a given ACL? Is there any other way?

Thanks;
0
 
totaramAuthor Commented:
Thank you so much for the link... it is a valuable link.. If there any way to find how many hits SIP Port 5060/5061 had
or if there was a way to figure total Kbytes used by this type of traffic?
0
 
JustInCaseCommented:
Only if that traffic is the only traffic present in specific class-map (with the show policy-map interface).
I don't know other way.
0
 
totaramAuthor Commented:
Thanks Predrag, your comments were very helpful
0
 
JustInCaseCommented:
You're welcome.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.