Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to manage large access-lists on FWSM

Team I have a rather large access-list in one of my firewalls and was wondering if anyone has any rules of thumbs to go by when building a complex access lists. I currently use object groups but what is a good rule for acls with servers, users and diffent needs for access?


Re: How to manage large access-lists on FWSM

We use object-groups as well. We typically create an object for source servers (if more than 1), the ports (if more than 1 or 2) and another group for destination server(s). We have a very restrictive security policy so each rule must be specific. I think it makes it hard to see what the ACL's really do, but it shortens the config.

Hope that helps.

New Member

Re: How to manage large access-lists on FWSM

We try to do something very similar but over time alot of 1 offs have creeped into the acls.

Thanks for the reply