A useful command for viewing access list operation is the
log keyword on access list entries. This keyword instructs
the router to place an entry in the system log whenever that entry condition is
matched. The logged event includes details of the packet that matched the
access list element.
The log keyword can be
especially useful for troubleshooting access list operation. It can also
provide information on intrusion attempts being blocked by the access list. For
example, if the last element in an extended ACL is configured as deny
ip any any log, the details of any packet not matching a condition
higher in the ACL is recorded in the system log. Because this element shows all
packets not being matched by a statement earlier in the ACL, it is useful both
for troubleshooting when a certain traffic flow cannot communicate through the
firewall router, as well as for showing when an intruder is attempting to
access the network.
This log output can either be buffered and viewed on
the local system or forwarded to an external syslog server where it can become
part of a larger network management system. Use the show
logging command to view the locally buffered copy of the system log.

The
command show ip access-list [number | name]
is useful for troubleshooting IP access lists. This command displays the
detailed elements of a specific access-list in the correct order and the number
of packets that have been matched against each element. Alternatively, if no
access list number is specified, details of all access lists are shown. Figure
shows
the typical output from the show ip access-list
command.
When viewing the number of access list matches, the hit counters
should sometimes be reset using the clear ip access-list counters
[number | name] command. This command resets access
list counters to zero, making it easier to spot changes in the counters and
heavily-matched access list elements. This command can be used to clear the
counters for only a specific access list by specifying its name or number. It
will clear the counters for all IP access lists if no access list name or
number is specified. An alternative command clear access-list counters
[number | name] can also be used to clear IP access
list statistics. Figure
shows an example
of using the clear command.
The command
show ip interface shows information about the configuration
of interfaces running the IP protocol, including information on any access
lists configured for inbound and outbound traffic on the interface. Figure
shows an example
of the output from this command.