ACLPrivileged EXEC

show access-list

Displays the current access control lists (ACLs) configured on the Cisco ASA firewall, including hit counts and packet matches.

Overview

The 'show access-list' command is a fundamental diagnostic tool on Cisco ASA firewalls for inspecting the configuration and performance of access control lists (ACLs). ACLs are used to filter traffic based on source/destination IP addresses, protocols, and ports, and are applied to interfaces or globally. This command displays each ACL entry along with its hit count, which is the number of packets that have matched that entry since the last counter reset. Hit counts are critical for verifying that ACLs are working as intended: a high hit count on a permit entry confirms allowed traffic, while a high hit count on a deny entry indicates blocked traffic that may require attention. Zero hit counts on expected traffic suggest either the ACL is not applied correctly, the traffic is not reaching the firewall, or the entry order is wrong. The command also shows whether an entry is inactive, which can occur if an object group within the entry is disabled. This command is used during initial configuration verification, ongoing monitoring, and troubleshooting. On the ASA, ACLs are stateful; the 'show access-list' output reflects only the configured rules, not the stateful connections. For connection details, use 'show conn'. The command supports filtering by ACL name and options for brief or detailed output. Understanding this command is essential for network security engineers to ensure proper traffic filtering and to identify misconfigurations or security issues.

Syntax·Privileged EXEC
show access-list [<acl-name> | <acl-id>] [brief | detail]

When to Use This Command

  • Verify that ACL entries are correctly matching desired traffic after configuration changes.
  • Troubleshoot why traffic is being permitted or denied by checking hit counts.
  • Audit ACL configuration for security compliance and identify unused rules.
  • Monitor real-time traffic patterns by observing hit count increments.

Parameters

ParameterSyntaxDescription
acl-name | acl-idaccess-list <name>Specifies the name or ID of a specific ACL to display. If omitted, all ACLs are shown.
briefbriefDisplays a summary of ACLs without hit counts, showing only the structure and element count.
detaildetailProvides additional details such as line numbers, hash values, and inactive status for each entry.

Command Examples

Display all ACLs with hit counts

show access-list
access-list INSIDE extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80 (hitcnt=150)
access-list INSIDE extended deny ip any any (hitcnt=0)

Shows two ACL entries: the first permits HTTP traffic from 10.1.1.0/24 to 192.168.1.0/24 with 150 hits; the second denies all IP traffic with 0 hits.

Display a specific ACL in detail

show access-list INSIDE detail
access-list INSIDE; 2 elements; name hash: 0x12345678
access-list INSIDE line 1 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80 (hitcnt=150) 0x87654321
  access-list INSIDE line 1 extended permit tcp 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 80 (hitcnt=150) (inactive) 0x87654321
access-list INSIDE line 2 extended deny ip any any (hitcnt=0) 0xabcdef01

Detail view shows line numbers, element count, hash values, and inactive status. The first entry appears twice if it has an inactive object group; the second entry is active with 0 hits.

Understanding the Output

The output lists each ACL entry with its action (permit/deny), protocol, source and destination networks, ports, and hit count. The hit count indicates how many packets have matched that entry since the last counter reset or device reload. A high hit count on a permit entry shows allowed traffic; a high hit count on a deny entry indicates blocked traffic that may need investigation. Zero hit counts on expected traffic suggest misconfiguration or that the ACL is not being applied. The 'inactive' keyword appears when an object group within the entry is inactive. The 'element' count shows total entries. Hash values are internal identifiers. The 'brief' option suppresses hit counts and shows only the ACL structure.

Configuration Scenarios

Verifying ACL After Applying to Interface

An engineer has applied an ACL named 'OUTSIDE' to the outside interface to restrict inbound traffic. They need to verify the ACL is correctly matching traffic.

Topology

Internet --- ASA (outside: 203.0.113.1) --- Inside (10.0.0.0/24)

Steps

  1. 1.Configure ACL: access-list OUTSIDE extended permit tcp any host 203.0.113.10 eq 80
  2. 2.Apply to interface: access-group OUTSIDE in interface outside
  3. 3.Verify with 'show access-list OUTSIDE'
Configuration
! ACL configuration
access-list OUTSIDE extended permit tcp any host 203.0.113.10 eq 80
access-list OUTSIDE extended deny ip any any
! Apply to interface
access-group OUTSIDE in interface outside

Verify: Run 'show access-list OUTSIDE' and check hit counts. If traffic is flowing, the permit entry should have non-zero hits. If zero, check interface application and routing.

Watch out: Remember that the ACL is applied inbound on the outside interface; traffic from inside to outside is not affected by this ACL.

Troubleshooting with This Command

When troubleshooting traffic issues on a Cisco ASA, 'show access-list' is often the first command to run. Start by identifying the ACL applied to the relevant interface using 'show running-config | include access-group'. Then display that ACL with 'show access-list <name>'. Look for hit counts on permit and deny entries. If expected traffic is being denied, check if a deny entry with high hit counts appears before the permit entry. If hit counts are zero on all entries, verify that the ACL is applied to the correct interface and direction, and that traffic is actually reaching the ASA (use 'show interface' for packet counts). If an entry shows 'inactive', check the object groups used in that entry with 'show object-group id <name>'. For asymmetric routing issues, remember that the ASA is stateful; the ACL only affects the initial packet. Use 'show conn' to see established connections. If hit counts increment but traffic is still failing, the issue may be elsewhere (e.g., NAT, routing). To reset hit counts for fresh monitoring, use 'clear access-list <name> counters'. In high-traffic environments, hit counts can wrap around; note the value before resetting. For ACLs with many entries, use the 'brief' option to see the structure without hit counts, then focus on specific entries.

CCNA Exam Tips

1.

Remember that hit counts reset on reload or when the ACL is modified; use 'clear access-list <name> counters' to reset manually.

2.

In CCNP Security exams, know that 'show access-list' is used to verify ACL effectiveness and identify unused rules.

3.

Be aware that the ASA uses a first-match approach; order of entries matters.

Common Mistakes

Assuming zero hit counts mean the ACL is not applied; it could be that no matching traffic has passed.

Forgetting that hit counts are cumulative since last reset; they do not indicate current traffic rate.

Misinterpreting 'inactive' entries as disabled; they are still evaluated but may have inactive object groups.

Platform Notes

On Cisco ASA, the 'show access-list' command is similar to Cisco IOS but with ASA-specific features like object groups and inactive entries. Unlike IOS, ASA ACLs are stateful and the command does not show per-interface statistics; it shows global hit counts. The ASA also supports 'show access-list <name> detail' to display line numbers and hash values, which is not available in IOS. In IOS, the equivalent command is 'show access-lists' (plural). On other platforms like Palo Alto, the command is 'show running security-policy' or 'show security-policy-rule'. On ASA, ACLs can be named or numbered; numbered ACLs are less common. Version differences: ASA 8.3+ introduced object groups and the 'inactive' keyword. Always use the latest syntax for your ASA version.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions