Showing results for 
Search instead for 
Did you mean: 
Create Post

Get your Cisco ASA firewall ACLs under control with these five easy steps

Level 9


Do you badge in and out of your office each day? That electronic lock should be doing two things: making sure you can get in (and get to work), and keeping people who shouldn’t be there out.  If the permissions aren’t right, you could be blocked from entering. Or, worse, people who aren’t authorized could walk right in. This is what happens if the Access Control Lists (ACLs) on your firewall aren’t properly configured. Valid traffic could be blocked, or unauthorized traffic could slip through. This can impact productivity and even be a security risk.

ACLs can be hundreds or even thousands of lines long. They may have been set up years ago and been modified too many times to count. Are you confident that they are controlling the traffic the way you want? Do you need deeper network insights to see what is really going on?

Reviewing your Access Control Lists can be a tedious task, but the latest release of SolarWinds® Network Configuration Manager (NCM) makes it easy. This release introduces a new feature, Network Insight™ for Cisco® ASA, so you can easily review and audit ACLs for your Cisco ASA firewall.

  1. Review what ACLs are configured
    You can’t control it if you don’t know you have it. First, take a look to see what Access Control Lists are set up. The network insights you get with NCM will allow you to view all ACLs configured on the ASA. See if you have an ACL that was configured but never applied. Do you have ACLs that were set up so long ago that none of the original creators are still around?

  2. Audit where and how they are assigned
    An ACL may be configured correctly but assigned to the wrong zone, reducing its effectiveness. Are your ACLs assigned to the correct zones? What interfaces are assigned to those zones? Review where your Cisco ASA ACLs are assigned to maximize their strength.

  3. See what rules are being used
    Do you have rules in place that are never used, or rules that are getting hit all the time? Use NCM’s ACL Rule Browser to browse to object group definitions, search and filter within your ACLs, and view the hit count for individual rules to debug your access rules. Rules that are never hit may have been superseded by other policy changes. Rules that are getting hit all the time may indicate a need to refine the rule. With increased network insight you can optimize the ACL rules on your Cisco ASA.

  4. Detect shadow or redundant rules
    Access Control List rules are applied in the order they are listed. When a rule is overridden by a previous rule that does a different action, it is a shadow rule. A rule that is hidden because a previous rule does the same action is a redundant rule. For example, your office wants to let in anyone who is an employee, but not on the weekends. If the badge reader checks “let in all employees” first and then checks the day of the week, the weekend rule is a shadow rule. It will not matter because the door unlocked after confirming it was an employee who was trying to enter. You can reduce security risks and help ensure your ACLs are working as intended by identifying shadow or redundant rules.

  5. Compare ACLs for changes
    It can be difficult to troubleshoot ACL config issues. Network Configuration Manager helps make this process easier with side-by-side ACL config comparisons on your Cisco ASAs. You can compare an ACL to a previous version on the same node, or compare to other nodes, interfaces, or to a different ACL. Identify errors and verify consistency with Network Insights for Cisco ASA.

By working through this simple checklist, you can restore confidence that your firewalls are effectively managing the traffic flow in and out of your network. You can try Network Insight for Cisco ASA in the latest release of Network Configuration Manager. With a free, 30-day trial of NCM, you can see for yourself how easily you can bring your ACLs back under control. Look like a firewall expert without having to be a firewall expert!


If someone's NOT doing this via an automated procedure, such as with Network Configuration Manager, they're not protecting their company or their traffic as well as they ought.

NCM rocks!

And with Network Insight, knowing what's set up correctly, or INCORRECTLY set up, is MUCH easier to discover.

Thanks for pointing out this lovely new ASA compatibility!

How will this ability to view ASA configurations and performance stay relevant as ASA's are migrated into Firepower Threat Defense (FTD) solutions living on VM's?

I have FTD already in-house and it's taking over our ASA's, and replacing them.

Will NPM/NCM still be able to provide these good insights into Cisco's new firewalling solutions like FireSIGHT, FirePOWER, etc.

And we can run FTD code on many 5500's already instead of running ASA code on them.

Won't we lose NPM/NCM functionality as we keep up with the ever-changing Cisco security environment?

Level 9

Hi Richard,

NCM can manage the ASA-code based VMs running in an FTD deployment today, using NCM v7.7, the same as if they were standalone ASAs.

As luck would have it, we're scheduled to speak tomorrow afternoon on a different topic; if you wouldn't mind, I'd like to take some time during that conversation to learn more about your deployment in particular, including for example what percentage of your ASAs are running FTD code instead of the ASA code.

Best regards,