Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACL do you define all traffic?

Is it best practice to create an ACL on each interface that specificies what traffic is allowed and everything is denied?

I've got a couple of interface on my ASA that someone has put in a rule that says allow any to any. I would assume that would not be a good idea.

1 REPLY
Super Bronze

ACL do you define all traffic?

Hi,

I personally prefer to only allow traffic from the actual source network that are located behind the interface instead of specifying the source as "any" in the ACL statement.

I also tend to add a "deny ip any any" statement at the end of the interface ACL (even though it already contains Implicit Deny). This is because this will let me actually see the hitcount of denied traffic on that interface while the Implicit Deny counter cannot be seen.

Naturally if you have the "ip verify reverse-path " configured for your LAN/DMZ interface then that will already make sure that traffic is not allowed from source addresses/networks that according to ASA routing table are NOT located behind the source interface.

- Jouni

82
Views
0
Helpful
1
Replies