how to organize access-list in ASA

dantebarlizo · ‎02-16-2010

Hello

I need some help about access list. I understand is being read from top to down but

I would like to confirm if someone have a reference or knowledge on how to organize

access list w/ different protocols. what i meant is from top to down w/c protocols should be

at the top (example access-list inside line 1 permit tcp..... ) and how about the

access-list inside line 1 permit ICMP....

access-list inside line 1 permit udp....

source ip addresseses, is it from broad( top) going to specific ip(down).

Thanks.

Jon Marshall · ‎02-17-2010

dantebarlizo wrote:

Hello

I need some help about access list. I understand is being read from top to down but

I would like to confirm if someone have a reference or knowledge on how to organize

access list w/ different protocols. what i meant is from top to down w/c protocols should be

at the top (example access-list inside line 1 permit tcp..... ) and how about the

access-list inside line 1 permit ICMP....

access-list inside line 1 permit udp....

source ip addresseses, is it from broad( top) going to specific ip(down).

Thanks.

access-lists are indeed read from top to bottom and as soon as a match is made in the access-list processing stops and the action, pemit or deny, is executed.

Because access-lists are read from top to bottom the recommendation is to try and put the lines that will matched the most at the top of the acl. This means that processing of the acl per packet will be less because the device will find a match sooner rather than later. Having said that most devices are very good at processing acls so this is not something you should worry too much about.

Source IP addresses should be done specific nearer the top than broad. If you do it the other way round then there is the chance a match will be made on the broad entry when you wanted it on the specific.

Jon