Individual Ports vs Ranges

Mario Elia · ‎05-28-2013

Hi, just a quick question about best practices for an ASA5520. I'm currently running a pair of these as internal firewall for my organization, and have about 750 rules dictating traffic. A lot of the rules are for individual ports to specific server(s), some of them having 50+ ports opened. For example, Exchange has about 115 ports opened right now, anywhere from port 25 to 55000.

My question is that would it be better (faster, less strain on the ASA) to open a port range, (ie 52000-55000) or would the individual ports (ie: 52112,52336,52698,53441,53495, etc...) be ok?

Obviously the individual ports are much more granular for security, but I don't want to take that into consideration now. Just strictly individual ports vs ranges.

thanks

julomban · ‎05-28-2013

Mario,

It definitely will be better the range instead an individual ACL for each port.

You will have a config from 1000 lines of ACL to 1 single ACL with all the port on it.

For troubleshooting purpose you can always use packet tracer or "show access-list " to see if there is hitcounts.

I will go with the range option for sure.

Regards,

Juan Lombana

Please rate helpful posts.

Karsten Iwen · ‎05-28-2013

Your 5520 will easily handle 750+ rules so you can keep your current practice of using individual ports. And on a security device you also shouldn't trade security against speed if you are not forced to.

What you can do: Organise all needed ports per server in service object-groups. The resulting ACL won't be shorter by that approach, but the resulting ACL is more readable and manageble, especially if you use the ASDM.

Sent from Cisco Technical Support iPad App