Solved: Aaaaand ready :). Thanks a

sgofferje · ‎10-04-2014

Hi,

my beloved old PIX died a year ago and after running a Linux firewall in the meanwhile, I bought an ASA5505 recently.

Now, with my Linux firewall I did 2 things besides the "normal" firewalling:

First: I blocked Palestine, China and Korea via automated scripts which pull and update the rules every 24h

Second: I blocked access to SIP ports according to a list of sources for SIP fraud attempts which I maintain myself.

Is there any easy way to pull those lists to my ASA, e.g. via TFTP? Or would my script have to log in to the ASA and issue a ton of access-list commands? How's the performance impact of pushing 5000+ rules to a 5505?

-Stefan

Vibhor Amrodia · ‎10-05-2014

Hi Stefan,

I think you can copy the ACL lines using the TFTP by copying the configuration to the running configuration and it will merge the configuration with the already existing changes.

www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368

I would recommend using the Object Groups for easier management:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/objectgroups.html

There is no Hardcoded limit for the number of ACE/ACL on the ASA device but the recommended limit is around ~25K.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎10-05-2014

Hi Stefan,

I think you can copy the ACL lines using the TFTP by copying the configuration to the running configuration and it will merge the configuration with the already existing changes.

www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c4.html#pgfId-2171368

I would recommend using the Object Groups for easier management:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/objectgroups.html

There is no Hardcoded limit for the number of ACE/ACL on the ASA device but the recommended limit is around ~25K.

Thanks and Regards,

Vibhor Amrodia

sgofferje · ‎10-06-2014

Hi,

thanks, that looks pretty easy to do. Is there a way to bypass the "enable" and put the user directly into priv exec mode like on routers? I do have tac_plus running and if necessary could set up a radius server. Otherwise the automatization of the ACL update would be fairly hard through ssh.

Regarding the limits, I am more worried about performance of the 5505. When I used a Linux firewall, I saw a significant drop in performance after loading all the rules. The net performance broke in from wirespeed 100M to about 40-50M...

-Stefan

Vibhor Amrodia · ‎10-07-2014

Hi,

You would be able to login directly to the Exec mode using this configuration:-

aaa authentication ssh console LOCAL

aaa authorization exec LOCAL auto-enable

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1595724

NOTE:- This is only available from 9.2.1 +

Thanks and Regards,

Vibhor Amrodia

sgofferje · ‎10-07-2014

Very cool! I'm currently working on a script to convert the blocklists into an object group.

Pity that the auto-enable doesn't work with public key authentication...

sgofferje · ‎10-07-2014

Aaaaand ready :). Thanks a lot again.

Here is my script to automatically create object-groups which can be copied from tftp to run:

http://stefan.gofferje.net/it-stuff/cisco-systems/201-block-a-whole-country-with-a-cisco-asa

ASA 5505 access list from external server?