Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to organize access-list in ASA

Hello

I need some help about access list. I understand is being read from top to down but

I would like to confirm if someone have a reference or knowledge on how to organize

access list w/ different protocols. what i meant is from top to down w/c protocols should be

at the top (example          access-list inside line 1 permit tcp.....    ) and how about the

                                      access-list inside line 1 permit ICMP....

                                       access-list inside line 1 permit udp....

source ip addresseses, is it from broad( top) going to specific ip(down).

Thanks.

1 REPLY
Hall of Fame Super Blue

Re: how to organize access-list in ASA

dantebarlizo wrote:

Hello

I need some help about access list. I understand is being read from top to down but

I would like to confirm if someone have a reference or knowledge on how to organize

access list w/ different protocols. what i meant is from top to down w/c protocols should be

at the top (example          access-list inside line 1 permit tcp.....    ) and how about the

                                      access-list inside line 1 permit ICMP....

                                       access-list inside line 1 permit udp....

source ip addresseses, is it from broad( top) going to specific ip(down).

Thanks.


access-lists are indeed read from top to bottom and as soon as a match is made in the access-list processing stops and the action, pemit or deny, is executed.

Because access-lists are read from top to bottom the recommendation is to try and put the lines that will matched the most at the top of the acl. This means that processing of the acl per packet will be less because the device will find a match sooner rather than later. Having said that most devices are very good at processing acls so this is not something you should worry too much about.

Source IP addresses should be done specific nearer the top than broad. If you do it the other way round then there is the chance a match will be made on the broad entry when you wanted it on the specific.

Jon

325
Views
0
Helpful
1
Replies