how is this ASA command useful?

Started by icecream-guy, December 14, 2017, 12:54:54 PM

Previous topic - Next topic

icecream-guy


Firewall(config)# show access-list outside_access brief
access-list outside_access; 4861 elements; name hash: 0xee117655
967e628c 00000000 000169b3 5a32b670
6aa60a42 19e2de04 00000934 5a328670
0c7e87a2 19e2de04 000004b3 5a32865d
eb14c577 00000000 0000ec03 5a32b675
:professorcat:

My Moral Fibers have been cut.

SimonV

My guess would be to check if the ACL is consistent on multiple devices.

deanwebb

Quote from: SimonV on December 14, 2017, 01:37:10 PM
My guess would be to check if the ACL is consistent on multiple devices.

... most folks would check the ACL config... or use a firewall config manager...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

Quote from: deanwebb on December 14, 2017, 01:44:38 PM
Quote from: SimonV on December 14, 2017, 01:37:10 PM
My guess would be to check if the ACL is consistent on multiple devices.

... most folks would check the ACL config... or use a firewall config manager...

I imagine a hash would be more useful for an ACL with hundreds or thousands of lines.

icecream-guy

Quote from: SimonV on December 15, 2017, 02:33:09 AM
Quote from: deanwebb on December 14, 2017, 01:44:38 PM
Quote from: SimonV on December 14, 2017, 01:37:10 PM
My guess would be to check if the ACL is consistent on multiple devices.

... most folks would check the ACL config... or use a firewall config manager...

I imagine a hash would be more useful for an ACL with hundreds or thousands of lines.

yes, that is how the ASA works, hashes the ACL and compares the hash value to some hash value on the packet.
that's not the question though.
:professorcat:

My Moral Fibers have been cut.

SimonV

Oh, I thought it gave you a hash of the ACL itself, which could be compared across devices to check consistency.

Nevermind me then  :-X

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy