ACL "any" keyword
Is there anyone who can provide a definitive source cite for what the keyword "any" in an ASA ACL refers to?
Cheers!
- Does it refer to "any" traffic?
- Or is it more referring to any subnet, as in 0.0.0.0
Cheers!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to both. buckethead, I was already aware of the general properties of the any keyword, but I appreciate your efforts. atlas, thanks so much for the specifics and for the reference. This is exactly what I was looking for.
I'm always very grateful for information from fellow engineers!
Here's basically what I have determined, for what it's worth:
Here's an example of what I wanted to get clear on:
Furthermore, it seems that a lot of audits (PCI, HIPPA, NIST, IRS, ISO, etc.) recoil slightly against the use of any.
In contrast, use of any is almost mandatory for public traffic from the internet. In this case, there would be no ability (and no reason) to identify each potential network that could be utilized.
I'm always very grateful for information from fellow engineers!
Here's basically what I have determined, for what it's worth:
- Best practices would tend away from the use of the "any" keyword in most ACLs. It's much wiser (and it makes a LOT of sense as well) to use the specific network and mask as opposed to "any".
Here's an example of what I wanted to get clear on:
nameif - DMZ
ipaddr - 192.168.35.0 255.255.255.0
In an ACL, best practice here would not be to use any, but rather 192.168.35.0/24. ipaddr - 192.168.35.0 255.255.255.0
Furthermore, it seems that a lot of audits (PCI, HIPPA, NIST, IRS, ISO, etc.) recoil slightly against the use of any.
In contrast, use of any is almost mandatory for public traffic from the internet. In this case, there would be no ability (and no reason) to identify each potential network that could be utilized.
ASKER
Exactly what I asked for. Thanks to the expert!
Archi - Thanks for the kudos -
Something else to consider after reading your closing post. During audits, your auditor is more likely to recoil from an any statement on the permit side. Generally, use in a deny is not even blanched at. Additionally, remember that ACLs run sequential, top to bottom. So when building your ACLs the use of a well placed deny X any can shorten the packet runtime and improve performance overall. Without the deny anys, especially on long ACLs, an packet that will ultimately be denied will run the entire of the ACL looking for a permit match before finally hitting the implied deny all at the bottom.
Just food for thought. Good luck.
A
Something else to consider after reading your closing post. During audits, your auditor is more likely to recoil from an any statement on the permit side. Generally, use in a deny is not even blanched at. Additionally, remember that ACLs run sequential, top to bottom. So when building your ACLs the use of a well placed deny X any can shorten the packet runtime and improve performance overall. Without the deny anys, especially on long ACLs, an packet that will ultimately be denied will run the entire of the ACL looking for a permit match before finally hitting the implied deny all at the bottom.
Just food for thought. Good luck.
A
ASKER
Good point. I sorta left out that the focus was on permits only...
permit ip any any