Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
452
Views
0
Helpful
1
Replies

Access list with no static maps

wmpickens
Level 1
Level 1

‎09-17-2010 04:46 PM - edited ‎03-11-2019 11:42 AM

     Hello Everyone,

Somewhat of a newbie.

I have to review several firewall configurations, that I do not have responsibility for.

I am reviewing a small office that does no hosting with internet access for the office users.

I didn't create the configs, just have to review them.

The firewall config has several "access-list outside rules" stated.

example:

     access-list outside extended permit tcp any any eq ftp log
     access-list outside extended permit tcp any gt 1023 any eq ftp-data log
     access-list outside extended permit tcp any any eq www log

The access list is assigned to an interface

     access-group outside in interface Outside

There are no static routes defined  for (inside outsid) and the access list is not used anywhere else in the config.

Is this access list actually protecting any networks or host if there are no static routes defined?

Thanks

Labels:
0 Helpful
1 Reply 1

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎09-17-2010 04:55 PM

Hello,

If there is no Static Mapping from internal IP to external IP, then the access-lists would not be applicable. A best way to see if the access-lists are used or not is to issue "show access-list " and see if there are any hit counts. If there are not, then most likely it is not used and it is safe to remove them. If you are certain that there are no hosted services in that site, then there is not reason for those access-lists to be in there. You can remove them as keeping them there could potentially open up some security risks.

Regards,

NT

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top