Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
0
Helpful
6
Replies

ASA 5525X Outside Configuration Confirmation

Go to solution
Pravin Raj Kanagaraj
Level 1
Level 1

‎12-07-2017 09:53 PM - edited ‎03-05-2019 09:36 AM

 

Hi,

 

The below said access lists are enough to protect the outside interface in ASA 5525X ?

 

access-list outside line 36 extended deny tcp any any (hitcnt=846) 0x2a966e57
access-list outside line 37 extended deny udp any any (hitcnt=260) 0x6c301697
access-list outside line 38 extended deny ip any any (hitcnt=9898747) 0xfd0ffa4a

 

Kindly provide your input, thanks in advance.

 

Regards,

Pravin Raj K

Regards,
Pravin Raj K
Network Engineer
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to Pravin Raj Kanagaraj

‎12-08-2017 01:39 AM

Yes, "ip" includes all ip-based protocols. You don't need udp and tcp in addition to that. But with your ACL you'll see separate statistics for udp and tcp which could be desired.

 

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎12-07-2017 11:27 PM

There is an implicit "deny any" at the end of the ACL. You only need these lines if you want to have drop-statistics for TCP, UDP and all other IP-traffic.

 
0 Helpful

Go to solution
Pravin Raj Kanagaraj
Level 1
Level 1
In response to Karsten Iwen

‎12-07-2017 11:33 PM

Thank you, can you pease confirm implicit deny option at the end of ACL???

Regards,
Pravin Raj K
Network Engineer
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to Pravin Raj Kanagaraj

‎12-08-2017 12:09 AM

Hello,

 

here is a document that relates to Karsten's remarks:

 

Note: Although all ACLs contain an implicit deny statement, Cisco recommends use of an explicit deny statement, for example, deny ip any any. On most platforms, such statements maintain a count of the number of denied packets. This count can be displayed using the show access-list command.

 

Check the link below for reference:

 

Cisco Firewall Best Practices Guide

 

https://www.cisco.com/c/en/us/about/security-center/firewall-best-practices.html

0 Helpful

Go to solution
Pravin Raj Kanagaraj
Level 1
Level 1
In response to Georg Pauwen

‎12-08-2017 12:42 AM

Thank you Georg,

 

So I assume from your comments that  "access-list outside line 38 extended deny ip any any (Last Line)"

is enough to block any traffic that comes to outside interface.

 

 

Regards,
Pravin Raj K
Network Engineer
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Pravin Raj Kanagaraj

‎12-08-2017 01:39 AM

Yes, "ip" includes all ip-based protocols. You don't need udp and tcp in addition to that. But with your ACL you'll see separate statistics for udp and tcp which could be desired.

 
0 Helpful

Go to solution
Pravin Raj Kanagaraj
Level 1
Level 1
In response to Karsten Iwen

‎12-08-2017 01:46 AM

Thank you so much, got the desired answer.
Regards,
Pravin Raj K
Network Engineer
0 Helpful
Customers Also Viewed These Support Documents