My question is not platform specific but I manage numerous ASAs and PIXes which is what I am concerned with.
Generally speaking, best practices suggest using an explicit deny with logging at the end of ACLs. My question is very simple. Does this apply only to "interface" ACLs, meaning only for those applied in an access-group statement? OR, does it also apply to "non-inteface" ACLs such as those used for VPN (regardless it it's site-to-site or remote-access)?
It seems that depending on how the ACL is used the addition of an explicit deny may be pointless in the case of some non-interface ACLs. Maybe I'm wrong.
Thanks for your feedback/interpretations/opinions.
I appreciate your response. You are correct but I think the beyond-on-the-basics nuance wasn't blatantly obvious, so I apologize.
Yes, I understand the implicit deny as you highlighted. However, the explicit deny is beneficial... the implicit deny does appear in the 'show access-list' output whereas the explicit deny does so hitcnt for the explicit ACE is visible. Also, logging for the ACE can be controlled. I guess these two reasons are the basis for the logic of adding the ACE as a best practice.
I also understand that future rules would have to be appropriately placed above the explicit deny.
A simple example of what I'm curious about...
In defining interesting traffic for a crypto map, is there any benefit, as desribed above, to explicitly deny traffic or is this pointless? Either the traffic matches or it doesn't so an explicit deny will never get hit???
access-list vpn10 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn11 extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...