cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2619
Views
5
Helpful
2
Replies

Efficient way to organize ASA firewall access rules

Hello all -

This is just a general question... is there a good way to organize the ASA's access rule list to increase its efficiency?  Maybe by service or hit count (Top 10).  I am using the Cisco ASDM 6.2 to manage our ASA 5520.  Looking at it looks very unappealing and I'm in the process of adding names and descriptions to all the Network Objects.

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, check how long the ASA has been up for (show version, output will show you), and depending on when you last change your access-list, maybe it is best to remove all the acl with 0 hitcount first. This is assuming that you don't have any "permit any any" statement above the rules with more restrictive access. If everything is very specific then you should be able to remove the one with 0 hitcount, assuming that the ASA has been up for a long time, and also it was some legacy rules that was required in the past.

View solution in original post

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, check how long the ASA has been up for (show version, output will show you), and depending on when you last change your access-list, maybe it is best to remove all the acl with 0 hitcount first. This is assuming that you don't have any "permit any any" statement above the rules with more restrictive access. If everything is very specific then you should be able to remove the one with 0 hitcount, assuming that the ASA has been up for a long time, and also it was some legacy rules that was required in the past.

One addition to Jennifers advice to clean up your rules from time to time:

The ACLs on the ASA are always compiled, so there shouldn't be much difference in efficiency of processing the ACEs. In old Cisco IOS-trainings there was the advice to order the ACEs so that the ones with a higher hit-count are at the top and the ACEs with a lower hit-count are at the bottom of the ACL. I never sort my ACLs that way because that adds extra complexity and it's very hard to manage them that way. Remember that unneeded complexity is one of the major enemies of security.

My grouping for an ACL that is on a perimeter-ASA typically looks like that:

1) rules for specific hosts needing internal communication
2) rules for networks needing internal communication
3) drop anything that is internal (most with destination RFC1918)
4) rules for host connecting to the internet (destination any)
5) rules for networks connecting to the internet (destination any)


Sent from Cisco Technical Support iPad App

Review Cisco Networking for a $25 gift card