06-11-2010 07:47 AM - edited 03-11-2019 10:58 AM
Hello:
I am replacing my PIX with a new ASA. When my PIX was deployed I used a consultant to get it online quickly. Later I realized he used a lot of wild cards in the config. (any to any) Since the initial deployment I cleaned a lot of them up. Here is my question. I have always used the guideline the firewall should be very secure. No traffic should be able to pass out or in unless I allow it. There are some "any to any" ACL's in for services like DNS and some others. I like to use "object-groups" in my config and group my networks and hosts. This will ultimately make the config bigger and thus create more processing power on the ASA. Am I right to use the "object-group" for these types of services or am I just over thinking this?
Harrison Midkiff
06-11-2010 08:08 AM
Hi,
You're absolutately right.
You want to restrict the ACE statements as much as possible. (avoid ''any'' wherever you can).
Also, to make the ACL more manageable, use object groups is the recommendation.
Federico.
06-11-2010 08:08 AM
Grouping like items is exactly what object groups are for. It make the config easier to look at and adding or removing a host from a group is easier than re-writing the ACE.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide