https://community.cisco.com/t5/network-security/individual-ports-vs-ranges/m-p/2265353#M349114 <HTML><HEAD></HEAD><BODY><P>Mario,</P><P></P><P>It definitely will be better the range instead an individual ACL for each port. </P><P></P><P>You will have a config from 1000 lines of ACL to 1 single ACL with all the port on it. </P><P></P><P>For troubleshooting purpose you can always use packet tracer or "show access-list <NAME>" to see if there is hitcounts. </NAME></P><P></P><P>I will go with the range option for sure. </P><P></P><P>Regards,</P><P>Juan Lombana</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Tue, 28 May 2013 14:55:22 GMT julomban 2013-05-28T14:55:22Z https://community.cisco.com/t5/network-security/individual-ports-vs-ranges/m-p/2265352#M349113 <P>Hi, just a quick question about best practices for an ASA5520. I'm currently running a pair of these as internal firewall for my organization, and have about 750 rules dictating traffic. A lot of the rules are for individual ports to specific server(s), some of them having 50+ ports opened. For example, Exchange has about 115 ports opened right now, anywhere from port 25 to 55000.</P><P></P><P>My question is that would it be better (faster, less strain on the ASA) to open a port range, (ie 52000-55000) or would the individual ports (ie: 52112,52336,52698,53441,53495, etc...) be ok?</P><P></P><P>Obviously the individual ports are much more granular for security, but I don't want to take that into consideration now. Just strictly individual ports vs ranges.</P><P></P><P>thanks</P> Tue, 12 Mar 2019 01:50:03 GMT https://community.cisco.com/t5/network-security/individual-ports-vs-ranges/m-p/2265352#M349113 Mario Elia 2019-03-12T01:50:03Z https://community.cisco.com/t5/network-security/individual-ports-vs-ranges/m-p/2265353#M349114 <HTML><HEAD></HEAD><BODY><P>Mario,</P><P></P><P>It definitely will be better the range instead an individual ACL for each port. </P><P></P><P>You will have a config from 1000 lines of ACL to 1 single ACL with all the port on it. </P><P></P><P>For troubleshooting purpose you can always use packet tracer or "show access-list <NAME>" to see if there is hitcounts. </NAME></P><P></P><P>I will go with the range option for sure. </P><P></P><P>Regards,</P><P>Juan Lombana</P><P></P><P>Please rate helpful posts.</P></BODY></HTML> Tue, 28 May 2013 14:55:22 GMT https://community.cisco.com/t5/network-security/individual-ports-vs-ranges/m-p/2265353#M349114 julomban 2013-05-28T14:55:22Z https://community.cisco.com/t5/network-security/individual-ports-vs-ranges/m-p/2265354#M349116 <HTML><HEAD></HEAD><BODY><P>Your 5520 will easily handle 750+ rules so you can keep your current practice of using individual ports. And on a security device you also shouldn't trade security against speed if you are not forced to.<BR /><BR />What you can do: Organise all needed ports per server in service object-groups. The resulting ACL won't be shorter by that approach, but the resulting ACL is more readable and manageble, especially if you use the ASDM.<BR /><BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Tue, 28 May 2013 16:05:48 GMT https://community.cisco.com/t5/network-security/individual-ports-vs-ranges/m-p/2265354#M349116 Karsten Iwen 2013-05-28T16:05:48Z