I have a Cisco ASA and a test site-to-site VPN and a test Cisco client VPN coming into it. I had a rule which was just allow any any before on the outside interface to the inbound interface where the servers are. But have now added many many rules to lockdown what users on the VPN can get to so just the servers and their ports required are open.
Can this slow down the connection response to the user?
Assuming your entries are configured in an efficient way i.e making sure the most matching rules are at the top of the access list, there are no entries logging events unless you really need it, using group objects whenever applicable .. etc. It is most likely that the user will not even notice the difference. The approach you had followed is the correct from a security perspective.
I hope it helps .. please rate helpfull posts
Thanks, so it might be best I move the ACE's to the top of the outside list? I have about 15 and I can simply use the ASDM to do this?
It is a best practice to put ACEs for frequently occuring traffic like management traffic (routing,snmp etc) at the top of ACLs. I think this should be doable in ASDM.
on the CLI you can use
ASDM also has a similar field I think (8.x even has a real time one AFAIR).
The 'show access-list' will show you a hitcount irrespective of the 'log' keyword.
The log keyword goes one step further to generate syslogs whenever the ACE is matched.