ASA 5505 access list from external server?

Answered Question
Oct 4th, 2014
User Badges:

Hi,

my beloved old PIX died a year ago and after running a Linux firewall in the meanwhile, I bought an ASA5505 recently.

Now, with my Linux firewall I did 2 things besides the "normal" firewalling:

First: I blocked Palestine, China and Korea via automated scripts which pull and update the rules every 24h

Second: I blocked access to SIP ports according to a list of sources for SIP fraud attempts which I maintain myself.

Is there any easy way to pull those lists to my ASA, e.g. via TFTP? Or would my script have to log in to the ASA and issue a ton of access-list commands? How's the performance impact of pushing 5000+ rules to a 5505?

-Stefan

Correct Answer by Vibhor Amrodia about 2 years 9 months ago

Hi Stefan,

I think you can copy the ACL lines using the TFTP by copying the configuration to the running configuration and it will merge the configuration with the already existing changes.

www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmd...

I would recommend using the Object Groups for easier management:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...

There is no Hardcoded limit for the number of ACE/ACL on the ASA device but the recommended limit is around ~25K.

Thanks and Regards,

Vibhor Amrodia

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Vibhor Amrodia Sun, 10/05/2014 - 20:44
User Badges:
  • Cisco Employee,

Hi Stefan,

I think you can copy the ACL lines using the TFTP by copying the configuration to the running configuration and it will merge the configuration with the already existing changes.

www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmd...

I would recommend using the Object Groups for easier management:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/gu...

There is no Hardcoded limit for the number of ACE/ACL on the ASA device but the recommended limit is around ~25K.

Thanks and Regards,

Vibhor Amrodia

sgofferje Mon, 10/06/2014 - 04:57
User Badges:

Hi,

thanks, that looks pretty easy to do. Is there a way to bypass the "enable" and put the user directly into priv exec mode like on routers? I do have  tac_plus running and if necessary could set up a radius server. Otherwise the automatization of the ACL update would be fairly hard through ssh.

Regarding the limits, I am more worried about performance of the 5505. When I used a Linux firewall, I saw a significant drop in performance after loading all the rules. The net performance broke in from wirespeed 100M to about 40-50M...

-Stefan

sgofferje Tue, 10/07/2014 - 13:16
User Badges:

Very cool! I'm currently working on a script to convert the blocklists into an object group.

Pity that the auto-enable doesn't work with public key authentication...

Actions

This Discussion