Solved: Re: ASA ACL Line number for Deny All

Mokhalil82 · ‎07-13-2018

Hi

I have an ASA with interface ACLs. I want to insert a Deny All with logging "Deny ip any any log" at the end of each ACL.

I understand when I then insert any new ACE's in the future, they need to include the line number to ensure they are inserted above the Deny all rule.

What is the best practice, I was thinking of inserting the deny all rule on a very high line number, so if the line numbers currently go up to 200, I may insert the deny all on line 10000 as its always going to be the last rule. Is this a good way of doing this.

The reason I ask is I will be doing this on a few ASAs so want to get some advice on the best practice solution. Or shall just insert the deny all without the line number so it is the last entry, then just insert further rules above that line number as they auto number anyway if you insert a number that already exists?

Thanks

Marvin Rhoads · ‎07-13-2018

Your last method is better. A high number won't be preserved once the ACL is parsed.

View solution in original post

Dennis Mink · ‎07-13-2018

i know if you use asdm and you go add rule it adds it to the bottom. by default, I think its the same with CLI, but to make it scalable, you can give it a high line number to makle it land at the bottom and you still have space above it.

Please remember to rate useful posts, by clicking on the stars below.

Marvin Rhoads · ‎07-13-2018

Your last method is better. A high number won't be preserved once the ACL is parsed.