topic Re: ACL Commands on new ASA in Network Security

ACL Commands on new ASA

HMidkiff — Mon, 11 Mar 2019 17:58:10 GMT

Hello:

I am replacing my PIX with a new ASA. When my PIX was deployed I used a consultant to get it online quickly. Later I realized he used a lot of wild cards in the config. (any to any) Since the initial deployment I cleaned a lot of them up. Here is my question. I have always used the guideline the firewall should be very secure. No traffic should be able to pass out or in unless I allow it. There are some "any to any" ACL's in for services like DNS and some others. I like to use "object-groups" in my config and group my networks and hosts. This will ultimately make the config bigger and thus create more processing power on the ASA. Am I right to use the "object-group" for these types of services or am I just over thinking this?

Harrison Midkiff

Re: ACL Commands on new ASA

Federico Coto Fajardo — Fri, 11 Jun 2010 15:08:29 GMT

Hi,

You're absolutately right.

You want to restrict the ACE statements as much as possible. (avoid ''any'' wherever you can).

Also, to make the ACL more manageable, use object groups is the recommendation.

Federico.

Re: ACL Commands on new ASA

terrygwazdosky — Fri, 11 Jun 2010 15:08:42 GMT

Grouping like items is exactly what object groups are for. It make the config easier to look at and adding or removing a host from a group is easier than re-writing the ACE.