how to organize access-list in ASA

Unanswered Question
Feb 16th, 2010

Hello

I need some help about access list. I understand is being read from top to down but

I would like to confirm if someone have a reference or knowledge on how to organize

access list w/ different protocols. what i meant is from top to down w/c protocols should be

at the top (example          access-list inside line 1 permit tcp.....    ) and how about the

                                      access-list inside line 1 permit ICMP....

                                       access-list inside line 1 permit udp....

source ip addresseses, is it from broad( top) going to specific ip(down).

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe B Danford Mon, 03/01/2010 - 13:37

Since ACLs work on a first match basis you will want your more specific lines at the top of the list regardless of protocol. Avoid using broad ranges at the top of the list which could lead to more specific network ranges being ignored as in the example below

access-list acl_outside permit tcp any any eq 80

access-list acl_outside deny tcp host 1.1.1.1 any eq 80

The second entry would not be effective here because the first match is hit allowing all traffic through. Here is another example:

access-list acl_outside permit tcp any any eq 80

access-list acl_outside deny tcp host 1.1.1.1 any eq 80

access-list acl_outside permit tcp any host 2.2.2.2 eq 80

access-list acl_outside permit tcp any  host 2.2.2.3 eq 53

access-list acl_outside permit tcp any host 2.2.2.2 eq 443

access-list acl_outside permit udp any host 2.2.2.3 eq 53

access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53

access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443

access-list acl_outside permit tcp any any eq 389

The above ACL woul better be optimized by making the most specific entries at the top of the list ensuring that specifc deny statements are not trumped by permit statements and each entry performs its desired function. Grouping similar entries together if possible can help to keep some sanity when looking at large lists also.

access-list acl_outside deny tcp host 1.1.1.1 any eq 80

access-list acl_outside permit tcp any host 2.2.2.2 eq 80

access-list acl_outside permit tcp any any eq 80

access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443

access-list acl_outside permit tcp any host 2.2.2.2 eq 443

access-list acl_outside permit udp any host 2.2.2.3 eq 53

access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53

access-list acl_outside permit tcp any  host 2.2.2.3 eq 53

access-list acl_outside permit tcp any any eq 389

Actions

This Discussion