Hi,
I was wondering what was the best practice for the access-list's on the Cisco ACE.
Should we permit Any in the access-list, and classify the traffic in the class-maps as seen in a brief example:
access-list ANY line 10 extended permit ip any any
access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
class-map match-all EXCH-DMZ-INTERNET-OUT
2 match access-list EXCH-DMZ-INTERNET-OUT
policy-map multi-match EXCH-DMZ-OUT
class EXCH-DMZ-INTERNET-OUT
nat dynamic 1 vlan 1001
interface vlan 756
description VLAN 744 EXCH DMZ BE
ip address 10.134.11.253 255.255.255.0
alias 10.134.11.254 255.255.255.0
peer ip address 10.134.11.252 255.255.255.0
access-group input ANY
service-policy input EXCH-DMZ-OUT
Or should we also also the access-list for the access-group in the interface as seen bellow:
access-list EXCH-DMZ-INTERNET-OUT line 10 extended permit tcp 10.134.10.0 255.255.254.0 any eq www
access-list EXCH-DMZ-INTERNET-OUT line 15 extended permit tcp 10.134.10.0 255.255.254.0 any eq https
class-map match-all EXCH-DMZ-INTERNET-OUT
2 match access-list EXCH-DMZ-INTERNET-OUT
policy-map multi-match EXCH-DMZ-OUT
class EXCH-DMZ-INTERNET-OUT
nat dynamic 1 vlan 1001
interface vlan 756
description VLAN 744 EXCH DMZ BE
ip address 10.134.11.253 255.255.255.0
alias 10.134.11.254 255.255.255.0
peer ip address 10.134.11.252 255.255.255.0
access-group input EXCH-DMZ-INTERNET-OUT
service-policy input EXCH-DMZ-OUT
Regards,