I know–that title is a mouthful, but it’s actually pretty simple. A lot of environments out there have ACL’s that have implicit permits because it was simply too much work to get a list of what needs to talk to what before the firewall(s) went into place.
So, you’ve got an ACL applied to an interface that is set to permit all. The goal is to not permit everything and break out individual permit rules so we can change that to a deny rule. In ASDM it should look something like this.
So what goes through that ACL that I can start breaking out and writing specific rules for?
Right now if you right click the ACL in ASDM you get this nice little function called “Show Log…” The problem is this doesn’t work right out of the gate. If you click on this option you wont see anything yet.
The first thing I like to do is enable Debug logging on ASDM. That way when I open the log viewer or try to see hits on an ACL–I don’t have to modify anything.
Under Configuration –> Logging –> Logging Filters –> ASDM change “Filter on severity” to Debugging
NOTE: As of version 9.9(1) the below steps aren’t necessary. Seems Cisco has made the steps below the default.
The strange thing is now when you go back to the ACL’s and click “Show Log…” you still don’t see anything. Why? The problem is that permit statements will not log by default. This needs to be enabled either in ASDM or through the command line.
logging message 106100
Configuration > Device Management > Logging > Syslog Setup > 106100 “Disabled = No”
Now when you right click a rule and select “Show Log…” you will start seeing hits on the ACL. Monitor these hits for a while during work hours and you will at least get a huge chunk of the rules written. This is really nice for breaking out permit rules so you can eventually have an implicit Deny All there instead of a Permit All.