07-13-2018 01:40 AM - edited 03-12-2019 05:27 AM
Hi
I have an ASA with interface ACLs. I want to insert a Deny All with logging "Deny ip any any log" at the end of each ACL.
I understand when I then insert any new ACE's in the future, they need to include the line number to ensure they are inserted above the Deny all rule.
What is the best practice, I was thinking of inserting the deny all rule on a very high line number, so if the line numbers currently go up to 200, I may insert the deny all on line 10000 as its always going to be the last rule. Is this a good way of doing this.
The reason I ask is I will be doing this on a few ASAs so want to get some advice on the best practice solution. Or shall just insert the deny all without the line number so it is the last entry, then just insert further rules above that line number as they auto number anyway if you insert a number that already exists?
Thanks
Solved! Go to Solution.
07-13-2018 07:20 AM
Your last method is better. A high number won't be preserved once the ACL is parsed.
07-13-2018 03:53 AM
i know if you use asdm and you go add rule it adds it to the bottom. by default, I think its the same with CLI, but to make it scalable, you can give it a high line number to makle it land at the bottom and you still have space above it.
07-13-2018 07:20 AM
Your last method is better. A high number won't be preserved once the ACL is parsed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide