Cisco ACL Best Practices?

If you aren't at all familiar with ACL configuration on the ASA, I would reccomend either picking up this ASA admin guide off of Amazon:

http://www.amazon.com/Cisco-ASA-All-One-Appliance/dp/1587052091/ref=sr_1_3?ie=UTF8&s=books&qid=1272526892&sr=8-3

Or its newer brother:

http://www.amazon.com/Cisco-ASA-All-One-Appliance/dp/1587058197/ref=sr_1_1?ie=UTF8&s=books&qid=1272526892&sr=8-1

A job I recently landed had me configuring an ASA (a task I had never done before) and those books saved my ass :)

As far as best practice goes for ACLs, I've always found it easier to specify the traffic that you want to lock down first (server-to-server communications, ftp/ss/tftpldap/mysql/snmp/et) and then create a deny rule to lock it down, and then create some deny rules for traffic that you never want to pass (bittorrent/usenet). There are other features of the ASA that you should take time to learn as well, I could see the URL/Active X/Content filtering features being very handy in a school district, especially one that may not have the best security practices in place.
 
As an Amazon Associate, HardForum may earn from qualifying purchases.
Remember there is an implied deny rule at the ned of the ACL, so if you didn't permit something, it's denied.
 
You must log in or register to reply here.
Back
Top