05-28-2013 06:57 AM - edited 03-11-2019 06:50 PM
Hi, just a quick question about best practices for an ASA5520. I'm currently running a pair of these as internal firewall for my organization, and have about 750 rules dictating traffic. A lot of the rules are for individual ports to specific server(s), some of them having 50+ ports opened. For example, Exchange has about 115 ports opened right now, anywhere from port 25 to 55000.
My question is that would it be better (faster, less strain on the ASA) to open a port range, (ie 52000-55000) or would the individual ports (ie: 52112,52336,52698,53441,53495, etc...) be ok?
Obviously the individual ports are much more granular for security, but I don't want to take that into consideration now. Just strictly individual ports vs ranges.
thanks
05-28-2013 07:55 AM
Mario,
It definitely will be better the range instead an individual ACL for each port.
You will have a config from 1000 lines of ACL to 1 single ACL with all the port on it.
For troubleshooting purpose you can always use packet tracer or "show access-list
I will go with the range option for sure.
Regards,
Juan Lombana
Please rate helpful posts.
05-28-2013 09:05 AM
Your 5520 will easily handle 750+ rules so you can keep your current practice of using individual ports. And on a security device you also shouldn't trade security against speed if you are not forced to.
What you can do: Organise all needed ports per server in service object-groups. The resulting ACL won't be shorter by that approach, but the resulting ACL is more readable and manageble, especially if you use the ASDM.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide