Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL Commands on new ASA


I am replacing my PIX with a new ASA.  When my PIX was deployed I used a consultant to get it online quickly.  Later I realized he used a lot of wild cards in the config.  (any to any)  Since the initial deployment I cleaned a lot of them up.  Here is my question.  I have always used the guideline the firewall should be very secure.  No traffic should be able to pass out or in unless I allow it.  There are some "any to any" ACL's in for services like DNS and some others.  I like to use "object-groups" in my config and group my networks and hosts.  This will ultimately make the config bigger and thus create more processing power on the ASA.  Am I right to use the "object-group" for these types of services or am I just over thinking this?

Harrison Midkiff


Re: ACL Commands on new ASA


You're absolutately right.

You want to restrict the ACE statements as much as possible. (avoid ''any'' wherever you can).

Also, to make the ACL more manageable, use object groups is the recommendation.


New Member

Re: ACL Commands on new ASA

Grouping like items is exactly what object groups are for.  It make the config easier to look at and adding or removing a host from a group is easier than re-writing the ACE.

CreatePlease login to create content