cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1816
Views
10
Helpful
4
Replies

Best Practices for ASA ACL's

dallen00111111
Level 1
Level 1

I was wondering if someone would let me know what is currently considered best practice for ACL's on the ASA-5510? We want to add more rules to restrict access to the ASA and the LAN behind it. Would blacklisting or whitelisting be better?

The ASA-5510 has 256 MB of main memory and 1 GB of CF drive on it.  It's running ASA825-59-K8 for software and couldn't be upgraded any further under current conditions. Since it is scheduled for replacement, we are reluctant to put more RAM in it.

Thanks in advance for any assistance you can give.

4 Replies 4

mvsheik123
Level 7
Level 7

Hi,

Make sure you are on the latest software in the 8.2 train (due to memory). Also, check below links...

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html

http://www.cisco.com/c/en/us/about/security-center/firewall-best-practices.html

Few of the commands may not support on your ASA code.

hth

MS

Thanks for the information and the links. It'll be helpful when I get through all of it.

mickyq
Level 1
Level 1

I find its better to create objects using the IP address rather than a name so you can find it easier in the cli. you can use the description to add the server name.

For eg: 10.2.2.20 = WEBSVR001

object network OBJ_10.2.2.20

host 10.2.2.20

description WEBSVR001

then if you ever search for the ip address you can find the object its used in.

The object is used in acl's so you can also see the ip address rather than the name.

Thanks for the information and suggestions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: