ACL Commands on new ASA

Unanswered Question
Jun 11th, 2010

Hello:

I am replacing my PIX with a new ASA.  When my PIX was deployed I used a consultant to get it online quickly.  Later I realized he used a lot of wild cards in the config.  (any to any)  Since the initial deployment I cleaned a lot of them up.  Here is my question.  I have always used the guideline the firewall should be very secure.  No traffic should be able to pass out or in unless I allow it.  There are some "any to any" ACL's in for services like DNS and some others.  I like to use "object-groups" in my config and group my networks and hosts.  This will ultimately make the config bigger and thus create more processing power on the ASA.  Am I right to use the "object-group" for these types of services or am I just over thinking this?

Harrison Midkiff

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 06/11/2010 - 08:08

Hi,

You're absolutately right.

You want to restrict the ACE statements as much as possible. (avoid ''any'' wherever you can).

Also, to make the ACL more manageable, use object groups is the recommendation.

Federico.

terrygwazdosky Fri, 06/11/2010 - 08:08

Grouping like items is exactly what object groups are for.  It make the config easier to look at and adding or removing a host from a group is easier than re-writing the ACE.

Actions

This Discussion