Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 access list from external server?

Hi,

my beloved old PIX died a year ago and after running a Linux firewall in the meanwhile, I bought an ASA5505 recently.

Now, with my Linux firewall I did 2 things besides the "normal" firewalling:

First: I blocked Palestine, China and Korea via automated scripts which pull and update the rules every 24h

Second: I blocked access to SIP ports according to a list of sources for SIP fraud attempts which I maintain myself.

Is there any easy way to pull those lists to my ASA, e.g. via TFTP? Or would my script have to log in to the ASA and issue a ton of access-list commands? How's the performance impact of pushing 5000+ rules to a 5505?

-Stefan

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi Stefan,I think you can

Hi Stefan,

I think you can copy the ACL lines using the TFTP by copying the configuration to the running configuration and it will merge the configuration with the already existing changes.

www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368

I would recommend using the Object Groups for easier management:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/objectgroups.html

There is no Hardcoded limit for the number of ACE/ACL on the ASA device but the recommended limit is around ~25K.

Thanks and Regards,

Vibhor Amrodia

5 REPLIES
Cisco Employee

Hi Stefan,I think you can

Hi Stefan,

I think you can copy the ACL lines using the TFTP by copying the configuration to the running configuration and it will merge the configuration with the already existing changes.

www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368

I would recommend using the Object Groups for easier management:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/objectgroups.html

There is no Hardcoded limit for the number of ACE/ACL on the ASA device but the recommended limit is around ~25K.

Thanks and Regards,

Vibhor Amrodia

New Member

Hi,thanks, that looks pretty

Hi,

thanks, that looks pretty easy to do. Is there a way to bypass the "enable" and put the user directly into priv exec mode like on routers? I do have  tac_plus running and if necessary could set up a radius server. Otherwise the automatization of the ACL update would be fairly hard through ssh.

Regarding the limits, I am more worried about performance of the 5505. When I used a Linux firewall, I saw a significant drop in performance after loading all the rules. The net performance broke in from wirespeed 100M to about 40-50M...

-Stefan

Cisco Employee

Hi,You would not be able to

Hi,

You would be able to login directly to the Exec mode using this configuration:-

aaa authentication ssh console LOCAL

aaa authorization exec LOCAL auto-enable

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1595724

NOTE:- This is only available from 9.2.1 +

Thanks and Regards,

Vibhor Amrodia

New Member

Very cool! I'm currently

Very cool! I'm currently working on a script to convert the blocklists into an object group.

Pity that the auto-enable doesn't work with public key authentication...

New Member

Aaaaand ready :). Thanks a

Aaaaand ready :). Thanks a lot again.

Here is my script to automatically create object-groups which can be copied from tftp to run:

http://stefan.gofferje.net/it-stuff/cisco-systems/201-block-a-whole-country-with-a-cisco-asa

133
Views
5
Helpful
5
Replies
CreatePlease login to create content