Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2391
Views
5
Helpful
2
Replies

Efficient way to organize ASA firewall access rules

Go to solution
miguel.desantiago
Level 1
Level 1

‎11-05-2012 09:59 AM - edited ‎03-11-2019 05:19 PM

Hello all -

This is just a general question... is there a good way to organize the ASA's access rule list to increase its efficiency?  Maybe by service or hit count (Top 10).  I am using the Cisco ASDM 6.2 to manage our ASA 5520.  Looking at it looks very unappealing and I'm in the process of adding names and descriptions to all the Network Objects.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-05-2012 05:27 PM

Yes, check how long the ASA has been up for (show version, output will show you), and depending on when you last change your access-list, maybe it is best to remove all the acl with 0 hitcount first. This is assuming that you don't have any "permit any any" statement above the rules with more restrictive access. If everything is very specific then you should be able to remove the one with 0 hitcount, assuming that the ASA has been up for a long time, and also it was some legacy rules that was required in the past.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎11-05-2012 05:27 PM

Yes, check how long the ASA has been up for (show version, output will show you), and depending on when you last change your access-list, maybe it is best to remove all the acl with 0 hitcount first. This is assuming that you don't have any "permit any any" statement above the rules with more restrictive access. If everything is very specific then you should be able to remove the one with 0 hitcount, assuming that the ASA has been up for a long time, and also it was some legacy rules that was required in the past.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎11-07-2012 11:45 PM

One addition to Jennifers advice to clean up your rules from time to time:

The ACLs on the ASA are always compiled, so there shouldn't be much difference in efficiency of processing the ACEs. In old Cisco IOS-trainings there was the advice to order the ACEs so that the ones with a higher hit-count are at the top and the ACEs with a lower hit-count are at the bottom of the ACL. I never sort my ACLs that way because that adds extra complexity and it's very hard to manage them that way. Remember that unneeded complexity is one of the major enemies of security.

My grouping for an ACL that is on a perimeter-ASA typically looks like that:

1) rules for specific hosts needing internal communication
2) rules for networks needing internal communication
3) drop anything that is internal (most with destination RFC1918)
4) rules for host connecting to the internet (destination any)
5) rules for networks connecting to the internet (destination any)


Sent from Cisco Technical Support iPad App

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card