02-16-2010 10:46 PM - edited 03-11-2019 10:10 AM
Hello
I need some help about access list. I understand is being read from top to down but
I would like to confirm if someone have a reference or knowledge on how to organize
access list w/ different protocols. what i meant is from top to down w/c protocols should be
at the top (example access-list inside line 1 permit tcp..... ) and how about the
access-list inside line 1 permit ICMP....
access-list inside line 1 permit udp....
source ip addresseses, is it from broad( top) going to specific ip(down).
Thanks.
03-01-2010 01:37 PM
Since ACLs work on a first match basis you will want your more specific lines at the top of the list regardless of protocol. Avoid using broad ranges at the top of the list which could lead to more specific network ranges being ignored as in the example below
access-list acl_outside permit tcp any any eq 80
access-list acl_outside deny tcp host 1.1.1.1 any eq 80
The second entry would not be effective here because the first match is hit allowing all traffic through. Here is another example:
access-list acl_outside permit tcp any any eq 80
access-list acl_outside deny tcp host 1.1.1.1 any eq 80
access-list acl_outside permit tcp any host 2.2.2.2 eq 80
access-list acl_outside permit tcp any host 2.2.2.3 eq 53
access-list acl_outside permit tcp any host 2.2.2.2 eq 443
access-list acl_outside permit udp any host 2.2.2.3 eq 53
access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53
access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443
access-list acl_outside permit tcp any any eq 389
The above ACL woul better be optimized by making the most specific entries at the top of the list ensuring that specifc deny statements are not trumped by permit statements and each entry performs its desired function. Grouping similar entries together if possible can help to keep some sanity when looking at large lists also.
access-list acl_outside deny tcp host 1.1.1.1 any eq 80
access-list acl_outside permit tcp any host 2.2.2.2 eq 80
access-list acl_outside permit tcp any any eq 80
access-list acl_outside deny tcp host 1.1.1.1 host 2.2.2.2 eq 443
access-list acl_outside permit tcp any host 2.2.2.2 eq 443
access-list acl_outside permit udp any host 2.2.2.3 eq 53
access-list acl_outside deny tcp host 7.7.7.7 host 2.2.2.3 eq 53
access-list acl_outside permit tcp any host 2.2.2.3 eq 53
access-list acl_outside permit tcp any any eq 389
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide