Access List Entry Ordering

Discussion in 'Cisco' started by mclaughlinj, Apr 30, 2004.

  1. mclaughlinj

    mclaughlinj Guest

    In securing an outside router, what is the most effective ordering for
    your access list entries. Does using the ACL entry with "established"
    automatically defeat other entries since it only allows sessions
    initiated on the inside?

    Say you have the following ACL blocks, how would you order

    block known virus ports
    block private addresses
    block icmp traffic unwanted
    block udp traffic unwanted
    permit outside TCP traffic (vpn)
    permit established any inside-net eq established ???
    permit udp any inside-net

    Just not sure how/where to apply the acl established enty.

    Thanks, jeff
     
    mclaughlinj, Apr 30, 2004
    #1
    1. Advertisements

  2. Access list entries are processed in order, and the first one that
    matches the packet is used. "established" doesn't defeat anything;
    anything not matched by it will be examined by other rules in the ACL.

    In general, you should put more specific entries ahead of more general
    entries.
    I usually put "established" early. These are the most common packets,
    so performance is best if they're examined by fewer ACL entries. The
    only issue is what you want to do in the case where an established
    connection involves a virus port; if you want to block them, then the
    "block known virus ports" should be ahead of the "permit established"
    entry.
     
    Barry Margolin, Apr 30, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.