topic Re: Does applying ACE's to VPN's on ASA slow the VPN down slight in Network Security

Does applying ACE's to VPN's on ASA slow the VPN down slightly?

whiteford — Mon, 11 Mar 2019 13:00:54 GMT

Hi,

I have a Cisco ASA and a test site-to-site VPN and a test Cisco client VPN coming into it. I had a rule which was just allow any any before on the outside interface to the inbound interface where the servers are. But have now added many many rules to lockdown what users on the VPN can get to so just the servers and their ports required are open.

Can this slow down the connection response to the user?

Thanks

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

Fernando_Meza — Wed, 18 Jun 2008 09:07:05 GMT

Hi,

Assuming your entries are configured in an efficient way i.e making sure the most matching rules are at the top of the access list, there are no entries logging events unless you really need it, using group objects whenever applicable .. etc. It is most likely that the user will not even notice the difference. The approach you had followed is the correct from a security perspective.

I hope it helps .. please rate helpfull posts

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

Farrukh Haroon — Wed, 18 Jun 2008 09:54:57 GMT

This limited ammount of filtering should not cause any performance issues.

Regards

Farrukh

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

whiteford — Wed, 18 Jun 2008 09:58:28 GMT

Thanks, so it might be best I move the ACE's to the top of the outside list? I have about 15 and I can simply use the ASDM to do this?

Thanks

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

Farrukh Haroon — Wed, 18 Jun 2008 10:11:08 GMT

It is a best practice to put ACEs for frequently occuring traffic like management traffic (routing,snmp etc) at the top of ACLs. I think this should be doable in ASDM.

Regards

Farrukh

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

whiteford — Wed, 18 Jun 2008 10:15:44 GMT

Great there is a nice copy and paste function in the ADSL 🙂

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

whiteford — Wed, 18 Jun 2008 12:46:44 GMT

THanks guys, how can I also tell if the rules are being logged?

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

Farrukh Haroon — Wed, 18 Jun 2008 13:15:15 GMT

on the CLI you can use

show access-list

ASDM also has a similar field I think (8.x even has a real time one AFAIR).

Regards

Farrukh

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

whiteford — Wed, 18 Jun 2008 13:38:48 GMT

I did a sh access-list - should there simply be a "log" at the end of each ACE?

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

Farrukh Haroon — Wed, 18 Jun 2008 13:40:38 GMT

The 'show access-list' will show you a hitcount irrespective of the 'log' keyword.

The log keyword goes one step further to generate syslogs whenever the ACE is matched.

Regards

Farrukh

Re: Does applying ACE's to VPN's on ASA slow the VPN down slight

whiteford — Wed, 18 Jun 2008 13:42:58 GMT

Hi Happs, I am getting hit counts, just popped onto the ASDM.