topic how to organize access-list in ASA in Network Security https://community.cisco.com/t5/network-security/how-to-organize-access-list-in-asa/m-p/1404409#M743439 <P>Hello</P><P></P><P>I need some help about access list. I understand is being read from top to down but</P><P>I would like to confirm if someone have a reference or knowledge on how to organize</P><P>access list w/ different protocols. what i meant is from top to down w/c protocols should be</P><P>at the top (example&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list inside line 1 permit tcp.....&nbsp;&nbsp;&nbsp; ) and how about the</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list inside line 1 permit ICMP....</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list inside line 1 permit udp....</P><P></P><P>source ip addresseses, is it from broad( top) going to specific ip(down).</P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 17:10:51 GMT dantebarlizo 2019-03-11T17:10:51Z how to organize access-list in ASA https://community.cisco.com/t5/network-security/how-to-organize-access-list-in-asa/m-p/1404409#M743439 <P>Hello</P><P></P><P>I need some help about access list. I understand is being read from top to down but</P><P>I would like to confirm if someone have a reference or knowledge on how to organize</P><P>access list w/ different protocols. what i meant is from top to down w/c protocols should be</P><P>at the top (example&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list inside line 1 permit tcp.....&nbsp;&nbsp;&nbsp; ) and how about the</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list inside line 1 permit ICMP....</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; access-list inside line 1 permit udp....</P><P></P><P>source ip addresseses, is it from broad( top) going to specific ip(down).</P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 17:10:51 GMT https://community.cisco.com/t5/network-security/how-to-organize-access-list-in-asa/m-p/1404409#M743439 dantebarlizo 2019-03-11T17:10:51Z Re: how to organize access-list in ASA https://community.cisco.com/t5/network-security/how-to-organize-access-list-in-asa/m-p/1404410#M743445 <HTML><HEAD></HEAD><BODY><P>Since ACLs work on a first match basis you will want your more specific lines at the top of the list regardless of protocol. Avoid using broad ranges at the top of the list which could lead to more specific network ranges being ignored as in the example below</P><P></P><P>access-list acl_outside permit tcp any any eq 80</P><P>access-list acl_outside deny tcp host 1.1.1.1 any eq 80</P><P></P><P>The second entry would not be effective here because the first match is hit allowing all traffic through. Here is another example:</P><P></P><P></P><P>access-list acl_outside permit tcp any any eq 80</P><P>access-list acl_outside deny tcp host 1.1.1.1 any eq 80</P><P>access-list acl_outside permit tcp any host 2.2.2.2 eq 80</P><P>access-list acl_outside permit tcp any&nbsp; host 2.2.2.3 eq 53</P><P>access-list acl_outside permit tcp any host 2.2.2.2 eq 443</P><P>access-list acl_outside permit udp any host 2.2.2.3 eq 53</P><P>access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53</P><P>access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443</P><P>access-list acl_outside permit tcp any any eq 389</P><P></P><P></P><P>The above ACL woul better be optimized by making the most specific entries at the top of the list ensuring that specifc deny statements are not trumped by permit statements and each entry performs its desired function. Grouping similar entries together if possible can help to keep some sanity when looking at large lists also.</P><P></P><P>access-list acl_outside deny tcp host 1.1.1.1 any eq 80</P><P>access-list acl_outside permit tcp any host 2.2.2.2 eq 80</P><P>access-list acl_outside permit tcp any any eq 80</P><P>access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443</P><P>access-list acl_outside permit tcp any host 2.2.2.2 eq 443</P><P>access-list acl_outside permit udp any host 2.2.2.3 eq 53</P><P>access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53</P><P>access-list acl_outside permit tcp any&nbsp; host 2.2.2.3 eq 53</P><P>access-list acl_outside permit tcp any any eq 389</P></BODY></HTML> Mon, 01 Mar 2010 21:37:24 GMT https://community.cisco.com/t5/network-security/how-to-organize-access-list-in-asa/m-p/1404410#M743445 Joe B Danford 2010-03-01T21:37:24Z