Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
5
Helpful
1
Replies

how to organize access-list in ASA

dantebarlizo
Level 1
Level 1

‎02-16-2010 10:46 PM - edited ‎03-11-2019 10:10 AM

Hello

I need some help about access list. I understand is being read from top to down but

I would like to confirm if someone have a reference or knowledge on how to organize

access list w/ different protocols. what i meant is from top to down w/c protocols should be

at the top (example          access-list inside line 1 permit tcp.....    ) and how about the

                                      access-list inside line 1 permit ICMP....

                                       access-list inside line 1 permit udp....

source ip addresseses, is it from broad( top) going to specific ip(down).

Thanks.

Labels:
0 Helpful
1 Reply 1

Joe B Danford
Cisco Employee
Cisco Employee

‎03-01-2010 01:37 PM

Since ACLs work on a first match basis you will want your more specific lines at the top of the list regardless of protocol. Avoid using broad ranges at the top of the list which could lead to more specific network ranges being ignored as in the example below

access-list acl_outside permit tcp any any eq 80

access-list acl_outside deny tcp host 1.1.1.1 any eq 80

The second entry would not be effective here because the first match is hit allowing all traffic through. Here is another example:

access-list acl_outside permit tcp any any eq 80

access-list acl_outside deny tcp host 1.1.1.1 any eq 80

access-list acl_outside permit tcp any host 2.2.2.2 eq 80

access-list acl_outside permit tcp any  host 2.2.2.3 eq 53

access-list acl_outside permit tcp any host 2.2.2.2 eq 443

access-list acl_outside permit udp any host 2.2.2.3 eq 53

access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53

access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443

access-list acl_outside permit tcp any any eq 389

The above ACL woul better be optimized by making the most specific entries at the top of the list ensuring that specifc deny statements are not trumped by permit statements and each entry performs its desired function. Grouping similar entries together if possible can help to keep some sanity when looking at large lists also.

access-list acl_outside deny tcp host 1.1.1.1 any eq 80

access-list acl_outside permit tcp any host 2.2.2.2 eq 80

access-list acl_outside permit tcp any any eq 80

access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443

access-list acl_outside permit tcp any host 2.2.2.2 eq 443

access-list acl_outside permit udp any host 2.2.2.3 eq 53

access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53

access-list acl_outside permit tcp any  host 2.2.2.3 eq 53

access-list acl_outside permit tcp any any eq 389

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card