ACLs - Interface vs Non-interface

Unanswered Question
Oct 8th, 2009

My question is not platform specific but I manage numerous ASAs and PIXes which is what I am concerned with.

Generally speaking, best practices suggest using an explicit deny with logging at the end of ACLs. My question is very simple. Does this apply only to "interface" ACLs, meaning only for those applied in an access-group statement? OR, does it also apply to "non-inteface" ACLs such as those used for VPN (regardless it it's site-to-site or remote-access)?

It seems that depending on how the ACL is used the addition of an explicit deny may be pointless in the case of some non-interface ACLs. Maybe I'm wrong.

Thanks for your feedback/interpretations/opinions.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Kureli Sankar Thu, 10/08/2009 - 18:14

As you already know all access-list has an implicit deny any any in the end. There is really no need to add a deny any any line in the bottom explicitly.

Now it is upto you whether you add a deny ip any any in non-interface acls like the ones that you use to match in the class-map or policy nat statements.

The only precaution to take is that to make sure add the future permits above the deny line by inserting them with line numbers so, the deny doesn't appear above the permit.

jdlampard Fri, 10/09/2009 - 07:01

I appreciate your response. You are correct but I think the beyond-on-the-basics nuance wasn't blatantly obvious, so I apologize.

Yes, I understand the implicit deny as you highlighted. However, the explicit deny is beneficial... the implicit deny does appear in the 'show access-list' output whereas the explicit deny does so hitcnt for the explicit ACE is visible. Also, logging for the ACE can be controlled. I guess these two reasons are the basis for the logic of adding the ACE as a best practice.

I also understand that future rules would have to be appropriately placed above the explicit deny.

A simple example of what I'm curious about...

In defining interesting traffic for a crypto map, is there any benefit, as desribed above, to explicitly deny traffic or is this pointless? Either the traffic matches or it doesn't so an explicit deny will never get hit???

access-list vpn10 extended permit ip

access-list vpn11 extended permit ip

crypto map cryptomap 10 match address vpn10

crypto map cryptomap 11 match address vpn11


This Discussion