Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
2
Replies

ACLs - Interface vs Non-interface

jdlampard
Level 1
Level 1

‎10-08-2009 11:36 AM - edited ‎03-11-2019 09:24 AM

My question is not platform specific but I manage numerous ASAs and PIXes which is what I am concerned with.

Generally speaking, best practices suggest using an explicit deny with logging at the end of ACLs. My question is very simple. Does this apply only to "interface" ACLs, meaning only for those applied in an access-group statement? OR, does it also apply to "non-inteface" ACLs such as those used for VPN (regardless it it's site-to-site or remote-access)?

It seems that depending on how the ACL is used the addition of an explicit deny may be pointless in the case of some non-interface ACLs. Maybe I'm wrong.

Thanks for your feedback/interpretations/opinions.

-JD

Labels:
0 Helpful
2 Replies 2

Kureli Sankar
Cisco Employee
Cisco Employee

‎10-08-2009 06:14 PM

As you already know all access-list has an implicit deny any any in the end. There is really no need to add a deny any any line in the bottom explicitly.

Now it is upto you whether you add a deny ip any any in non-interface acls like the ones that you use to match in the class-map or policy nat statements.

The only precaution to take is that to make sure add the future permits above the deny line by inserting them with line numbers so, the deny doesn't appear above the permit.

0 Helpful

jdlampard
Level 1
Level 1
In response to Kureli Sankar

‎10-09-2009 07:01 AM

I appreciate your response. You are correct but I think the beyond-on-the-basics nuance wasn't blatantly obvious, so I apologize.

Yes, I understand the implicit deny as you highlighted. However, the explicit deny is beneficial... the implicit deny does appear in the 'show access-list' output whereas the explicit deny does so hitcnt for the explicit ACE is visible. Also, logging for the ACE can be controlled. I guess these two reasons are the basis for the logic of adding the ACE as a best practice.

I also understand that future rules would have to be appropriately placed above the explicit deny.

A simple example of what I'm curious about...

In defining interesting traffic for a crypto map, is there any benefit, as desribed above, to explicitly deny traffic or is this pointless? Either the traffic matches or it doesn't so an explicit deny will never get hit???

access-list vpn10 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list vpn11 extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

crypto map cryptomap 10 match address vpn10

crypto map cryptomap 11 match address vpn11

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card