Hello,
I run into a strange behavior with access-groups.
Trying to debug an access problem through the ASA I configured a permit all
access list on the outside interface.
ASA(config)# sh access-list ANY
access-list ANY; 4 elements
access-list ANY line 1 extended permit tcp any any (hitcnt=0) 0xaa048ad9
access-list ANY line 2 extended permit udp any any (hitcnt=0) 0x494465ab
access-list ANY line 3 extended permit icmp any any (hitcnt=0) 0xffa93494
access-list ANY line 4 extended permit ip any any (hitcnt=0) 0xd2b64534
ASA(config)# sh run | in access-group
ASA(config)# access-group ANY in interface outside
ASA(config)# sh run | in access-group
access-group ANY in interface outside
This is when I noticed that I don't get any hits on the acess-list counters. If
I remove the access-group it displays an error but it looks like it is removed.
ASA(config)# no access-group ANY in interface outside
ERROR: Unable to remove access-list ANY from interface outside
ASA(config)# sh run | in access-group
ASA(config)#
If I reaply the access-group there are no hits still. It must be related to the
access-group removal error.
Does anybody know what can cause this?
Reload does fix this.
Thanks,
Dan.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
