Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
379
Views
0
Helpful
1
Replies

ACL do you define all traffic?

Matt Roberts
Level 1
Level 1

‎09-12-2013 07:47 AM - edited ‎03-11-2019 07:37 PM

Is it best practice to create an ACL on each interface that specificies what traffic is allowed and everything is denied?

I've got a couple of interface on my ASA that someone has put in a rule that says allow any to any. I would assume that would not be a good idea.

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎09-12-2013 07:53 AM

Hi,

I personally prefer to only allow traffic from the actual source network that are located behind the interface instead of specifying the source as "any" in the ACL statement.

I also tend to add a "deny ip any any" statement at the end of the interface ACL (even though it already contains Implicit Deny). This is because this will let me actually see the hitcount of denied traffic on that interface while the Implicit Deny counter cannot be seen.

Naturally if you have the "ip verify reverse-path " configured for your LAN/DMZ interface then that will already make sure that traffic is not allowed from source addresses/networks that according to ASA routing table are NOT located behind the source interface.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card