Solved: I tend to look at hit counts

svmurali · ‎05-19-2017

Hello All:

Over the years and multiple vendors and projects our ASA Access Rules, Static Routes, NAT entries and VPN tunnels, considerable junk has accumulated. As usual be it a contractor or staff everyone I keen in adding statements but not cleaning up!

Now I have the wonderful task of removing obsolete IPs, NAT and Access. VPN entries.

I used Solarwinds FSM to run analysis but the results were only harping in an alarming manner of the number of any to any entries. I was surprised myself but it appears to be the last statements in a section as a catch all. Cisco ASA configs does not specify best practices to restrict "any to any" use. I am prudent enough not to remove without research and safe step would be to disable and see what happens? !!

Any other less dramatic suggestions to test removal? (Sample attatched)

All suggestions much appreciated.

Thx

SV

Dennis Mink · ‎05-21-2017

I tend to look at hit counts to see if rules are being used or not, which of course you would need to run over a longer period of time. then when the rile still shows 0 hitcount after weeks, put it on non active. after a longer period you can decide to delete the rule.

probably the easiest way to clean up.

PLease rate if useful.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Dennis Mink · ‎05-21-2017

I tend to look at hit counts to see if rules are being used or not, which of course you would need to run over a longer period of time. then when the rile still shows 0 hitcount after weeks, put it on non active. after a longer period you can decide to delete the rule.

probably the easiest way to clean up.

PLease rate if useful.

Please remember to rate useful posts, by clicking on the stars below.

svmurali · ‎05-22-2017

Thank you very much Appreciate the steps

Regards

SV

ASA Spring cleaning