access-list on ASA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2012 01:24 AM - edited 03-11-2019 03:40 PM
Dear all,
can you show me what's the difference in CPU load between two ACL below:
Scenario 1:
access-list 101 line 16 extended permit tcp host 10.4.22.212 host 10.4.28.49 eq 7017
access-list 101 line 17 extended permit tcp host 10.4.22.213 host 10.4.28.49 eq 7017
access-list 101 line 18 extended permit tcp host 10.4.22.214 host 10.4.28.49 eq 7017
access-list 101 line 19 extended permit tcp host 10.4.22.215 host 10.4.28.49 eq 7017
access-list 101 line 20 extended permit tcp host 10.4.22.216 host 10.4.28.49 eq 7017
and Scenario 2:
object-group network DM_INLINE_NETWORK_37
network-object host 10.4.22.212
network-object host 10.4.22.213
network-object host 10.4.22.214
network-object host 10.4.22.215
network-object host 10.4.22.216
access-list 101 extended permit tcp object-group DM_INLINE_NETWORK_37 host 10.4.28.49 eq 7017
If i use the Scenario 2, does it's better than the Scenario 1?
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2012 09:38 AM
Scenario 2 is much better and easier for management on the firewall. If you need to add another host to access this resource all you need to do is add it to the object group, insted of adding another access-list. This will keep the firewall access rules more stream lined and simpler.
I have taken a PIX firewall with over 2000 access lists and converted to an ASA with 30 access-lists with object groups. If you learn how to use the command line for object groups, then you can name them so that all the configuration is logical and makes sense as soon as you look it at.
Thanks and hope this helps.
Kimberly
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2012 06:38 PM
Dear Kimberly,
Thanks for your reply, but i want to know if i deploy the Scenario 2, does ASA have better CPU Load than the Scenario 1?
Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2012 08:50 AM
When you have a lot of access-lists, Scenario 2 will be a faster process. When ever someone makes a request and it hits the firewall, it has to start at the top of all the access-lists to find if the request is permitted or denied. If you have 2000 access-lists this will make the firewall work harder and tax the CPU and Memory. But if you consolidate with object-groups like in Scenario 2, then the firewall will not have to tax the CPU and Memory and run much more efficiently.
Thanks,
Kimberly
