Access list with no static maps

Unanswered Question
Sep 17th, 2010

     Hello Everyone,

Somewhat of a newbie.

I have to review several firewall configurations, that I do not have responsibility for.

I am reviewing a small office that does no hosting with internet access for the office users.

I didn't create the configs, just have to review them.

The firewall config has several "access-list outside rules" stated.

example:

     access-list outside extended permit tcp any any eq ftp log
     access-list outside extended permit tcp any gt 1023 any eq ftp-data log
     access-list outside extended permit tcp any any eq www log

The access list is assigned to an interface

     access-group outside in interface Outside

There are no static routes defined  for (inside outsid) and the access list is not used anywhere else in the config.

Is this access list actually protecting any networks or host if there are no static routes defined?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Fri, 09/17/2010 - 16:55

Hello,

If there is no Static Mapping from internal IP to external IP, then the access-lists would not be applicable. A best way to see if the access-lists are used or not is to issue "show access-list " and see if there are any hit counts. If there are not, then most likely it is not used and it is safe to remove them. If you are certain that there are no hosted services in that site, then there is not reason for those access-lists to be in there. You can remove them as keeping them there could potentially open up some security risks.

Regards,

NT

Actions

This Discussion