Cisco ASA ACL service port audit

raza555 · ‎01-16-2014

Hi,

I have to audit about 40 Cisco ASA (8.4) with ACL service ports as IP or TCP, we want specific ports between source and destinations, please advise the best practice/tool to identify specific port & to avoid any outages.

Also many ACL are defined in both directions, but my understanding is that as ASA is stateful firewall, so for TCP/UDP we don't need to define bidirectional traffic. Bidirectional traffic is only required for encrypted traffic e.g IPSEC/GRE, please correct if I'am wrong. If i'am correct then please advise if I delete bidirectional traffic for TCP/UDP then it will not break the connections.

Thanks

raza555 · ‎01-22-2014

Anybody is able to advise?

vishaw jasrotia · ‎01-22-2014

Hey ,

For same traffic there is no need of bidirectional ACL. but if you want to control the traffic both originating fron inside and outside then you require different ACL.

Your point regarding audit is not clear to me, need more elaboration.

Thanks

raza555 · ‎01-24-2014

In the ASDM, most Rules source and destination are using the ports as IP/ TCP, I want specific ports like 22,23,514 etc.

How I can findout that Source and Destination are using which ports, so that I can use specific ports instead of general ports as IP, TCP.

Thanks

ashish_in_network · ‎01-22-2014

Bidirectional rules is required if both source and destination initates the traffic.