ASA Questions

Unanswered Question
Apr 22nd, 2010

Dear friends,

  1. I need to tidy up my ASA5520, which includes remove unused access-list, NAT etc. what is the best way to document my ruleset?
  2. Need advise on VPN, we have alot of 3rd party companies dial in, they are currently use a mixture of secure desktop and vpn client, they need access to servers which they RDP on to, what would you recommend they use?
  3. How would you hand out passwords to 3rd party companies?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
scott-goodwin Thu, 04/22/2010 - 02:48


With regards to documenting rulebases, I think its more an individual thing and how your current documentation is laid out, having worked with multiple customers some just keep the raw ACL's in configuration backups. Others run spreadsheets which they add to whenever a change comes in, however the later soon starts to get huge.:)

Secure desktop or VPN client should give you the granular control over what they can/cant do, it will also give you the option of checking for valid anti-virus etc.. etc.. The main thing here is to make sure they only have access to what they need and the specific services.

In my opinion the issue of RSA token to external companies is always the best option when it come to password security.

Hope this heps


tahirs001 Thu, 04/22/2010 - 02:52

Hi Scott,

Thanks for the advice, My rulebase is already huge - I need to take control over it. How would i document a spreadsheet?

Also when i issue the command "show access-list" there is alot of access-list that do not get hit. is there a way to monitor access list apart from the hit count.



scott-goodwin Thu, 04/22/2010 - 03:07

Hi Tahir,

I presume you are using object groups within your configuration, if this is the case the spreadsheets i have seen (I have never personally constructed one) have a sheet with all the object groups in and the relevent ip address, and then seperate sheets for each interface. Hence the easiest way I can think of when starting from scratch would be to get the rule base comma delliminated so you can import it into the spreadsheet.

As for 0 hit rules, its all down to house keeping and is always common to find lots of rules with no hits that were added as knee jerk reactions to faults or requests. I don't think there is any otherway to monitor the acl's with zero hit on the actual device, you would need to look at a reporting/management platform I guess that could collate the data for you.


If you found any of this helpfull please rate the posts..


This Discussion