Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to organize access-list in ASA

Hello

I need some help about access list. I understand is being read from top to down but

I would like to confirm if someone have a reference or knowledge on how to organize

access list w/ different protocols. what i meant is from top to down w/c protocols should be

at the top (example          access-list inside line 1 permit tcp.....    ) and how about the

                                      access-list inside line 1 permit ICMP....

                                       access-list inside line 1 permit udp....

source ip addresseses, is it from broad( top) going to specific ip(down).

Thanks.

1 REPLY
Cisco Employee

Re: how to organize access-list in ASA

Since ACLs work on a first match basis you will want your more specific lines at the top of the list regardless of protocol. Avoid using broad ranges at the top of the list which could lead to more specific network ranges being ignored as in the example below

access-list acl_outside permit tcp any any eq 80

access-list acl_outside deny tcp host 1.1.1.1 any eq 80

The second entry would not be effective here because the first match is hit allowing all traffic through. Here is another example:

access-list acl_outside permit tcp any any eq 80

access-list acl_outside deny tcp host 1.1.1.1 any eq 80

access-list acl_outside permit tcp any host 2.2.2.2 eq 80

access-list acl_outside permit tcp any  host 2.2.2.3 eq 53

access-list acl_outside permit tcp any host 2.2.2.2 eq 443

access-list acl_outside permit udp any host 2.2.2.3 eq 53

access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53

access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443

access-list acl_outside permit tcp any any eq 389

The above ACL woul better be optimized by making the most specific entries at the top of the list ensuring that specifc deny statements are not trumped by permit statements and each entry performs its desired function. Grouping similar entries together if possible can help to keep some sanity when looking at large lists also.

access-list acl_outside deny tcp host 1.1.1.1 any eq 80

access-list acl_outside permit tcp any host 2.2.2.2 eq 80

access-list acl_outside permit tcp any any eq 80

access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443

access-list acl_outside permit tcp any host 2.2.2.2 eq 443

access-list acl_outside permit udp any host 2.2.2.3 eq 53

access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53

access-list acl_outside permit tcp any  host 2.2.2.3 eq 53

access-list acl_outside permit tcp any any eq 389

418
Views
5
Helpful
1
Replies