ACL "any" keyword

Is there anyone who can provide a definitive source cite for what the keyword "any" in an ASA ACL refers to?
  • Does it refer to "any" traffic?
  • Or is it more referring to any subnet, as in
Is there anyone who knows? I'd love to see this from a definitive source somewhere, because I'm not sure all ASA engineers think about it the same way. But I do want to know what is the actual case...

ArchiTech89IT Security EngineerAsked:
Who is Participating?
atlas_shudderedConnect With a Mentor Sr. Network EngineerCommented:

To further expand on what buckethead34 says above -

The statement any in and ACE (a single line of instruction in and ACL) translates to the following:


00000000.00000000.00000000.00000000 11111111.11111111.11111111.11111111

When reverse masking any string of contiguous 1's means don't care.  In the case above, the mask logically states "don't care, match all"

For further reading and validation on this point, check out this article on cisco's site:

Check under the section ACL Concepts for the reference you are looking for.

Hope it helps.
It means any IP address. In the below entry the first any means any source and the second means any destination. Depending on where the access-list is applied it source/destination could mean inside or outside of the network. Do you have a specific line that you need to know what it's doing?

permit ip any any
ArchiTech89IT Security EngineerAuthor Commented:
Thanks to both. buckethead, I was already aware of the general properties of the any keyword, but I appreciate your efforts. atlas, thanks so much for the specifics and for the reference. This is exactly what I was looking for.

I'm always very grateful for information from fellow engineers!

Here's basically what I have determined, for what it's worth:
  • Best practices would tend away from the use of the "any" keyword in most ACLs. It's much wiser (and it makes a LOT of sense as well) to use the specific network and mask as opposed to "any".

Here's an example of what I wanted to get clear on:
nameif - DMZ
ipaddr -
In an ACL, best practice here would not be to use any, but rather

Furthermore, it seems that a lot of audits (PCI, HIPPA, NIST, IRS, ISO, etc.) recoil slightly against the use of any.

In contrast, use of any is almost mandatory for public traffic from the internet. In this case, there would be no ability (and no reason) to identify each potential network that could be utilized.
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

ArchiTech89IT Security EngineerAuthor Commented:
Exactly what I asked for. Thanks to the expert!
atlas_shudderedSr. Network EngineerCommented:
Archi - Thanks for the kudos -

Something else to consider after reading your closing post.  During audits, your auditor is more likely to recoil from an any statement on the permit side.  Generally, use in a deny is not even blanched at.  Additionally, remember that ACLs run sequential, top to bottom.  So when building your ACLs the use of a well placed deny X any can shorten the packet runtime and improve performance overall.  Without the deny anys, especially on long ACLs, an packet that will ultimately be denied will run the entire of the ACL looking for a permit match before finally hitting the implied deny all at the bottom.

Just food for thought.  Good luck.

ArchiTech89IT Security EngineerAuthor Commented:
Good point. I sorta left out that the focus was on permits only...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.