ACL at router or ASA
Folks:
going over some access list items, specificlly sequence numbers in IP access lists; however, is it better to build ACLs on the Router that faces your ISP, or stick to the ASA? I am creating simple lists to block domains...nothing fancy.
thank you
going over some access list items, specificlly sequence numbers in IP access lists; however, is it better to build ACLs on the Router that faces your ISP, or stick to the ASA? I am creating simple lists to block domains...nothing fancy.
thank you
Utini!
Comments
-
redwarrior
Member Posts: 285
If you already have an ASA, I'd stick your ACL's there...they have some nice features for troubleshooting exactly what is blocking your traffic, etc. I wouldn't buy an ASA just to put an ACL on it, though. If all you need is a very simple ACL to block some things, then I'd put it on what you already have.
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog -
Daniel333
Member Posts: 2,077 ■■■■■■□□□□
Assuming I am understanding, Its not so much that is "needs" to be on an ASA or "needs" to be on a router. Generally you just want to block the traffic as soon as possible. Kinda like, why let anything on your network you don't need to?-Daniel
-
apd123
Member Posts: 171
As with everything in networking the answer is it depends. If you are natting on the ASA then you will pretty much have to configure your internal ACL's there. Also keep in mind the ASA has more advanced firewall capability and a more scalable way of building large conplex ACL policies.