Access list with no static maps

wmpickens · ‎09-17-2010

Hello Everyone,

Somewhat of a newbie.

I have to review several firewall configurations, that I do not have responsibility for.

I am reviewing a small office that does no hosting with internet access for the office users.

I didn't create the configs, just have to review them.

The firewall config has several "access-list outside rules" stated.

example:

     access-list outside extended permit tcp any any eq ftp log
     access-list outside extended permit tcp any gt 1023 any eq ftp-data log
     access-list outside extended permit tcp any any eq www log

The access list is assigned to an interface

access-group outside in interface Outside

There are no static routes defined for (inside outsid) and the access list is not used anywhere else in the config.

Is this access list actually protecting any networks or host if there are no static routes defined?

Thanks

Nagaraja Thanthry · ‎09-17-2010

Hello,

If there is no Static Mapping from internal IP to external IP, then the access-lists would not be applicable. A best way to see if the access-lists are used or not is to issue "show access-list " and see if there are any hit counts. If there are not, then most likely it is not used and it is safe to remove them. If you are certain that there are no hosted services in that site, then there is not reason for those access-lists to be in there. You can remove them as keeping them there could potentially open up some security risks.

Regards,

NT