I am replacing my PIX with a new ASA. When my PIX was deployed I used a consultant to get it online quickly. Later I realized he used a lot of wild cards in the config. (any to any) Since the initial deployment I cleaned a lot of them up. Here is my question. I have always used the guideline the firewall should be very secure. No traffic should be able to pass out or in unless I allow it. There are some "any to any" ACL's in for services like DNS and some others. I like to use "object-groups" in my config and group my networks and hosts. This will ultimately make the config bigger and thus create more processing power on the ASA. Am I right to use the "object-group" for these types of services or am I just over thinking this?
Grouping like items is exactly what object groups are for. It make the config easier to look at and adding or removing a host from a group is easier than re-writing the ACE.
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
