I need to modify existing configuration of the CISCO ASA. While analyzing the configuration I noticed something that looks redundant to me. I would like to see if somebody can confirm my doubts.
access-list LANA_access_in extended permit ip any any log debugging inactive
access-list LANA_access_in extended permit icmp any any log debugging inactive
access-list LANA_access_in extended permit icmp 172.12.10.0 255.255.255.0 10.5.83.0 255.255.255.0
access-list LANA_access_in extended permit ip 172.12.10.0 255.255.255.0 10.5.83.0 255.255.255.0
...
access-group LANA_access_in in interface LAN_A_Lan
Am I right that after the first two lines, second two lines are completely redundant?
And to make things even better there is this part of config
access-list global_access extended permit ip any any log debugging inactive
access-list global_access extended permit icmp any any log debugging inactive
...
access-group global_access global
If I understand correctly, this will allow all ingress traffic on all ports, and previously mentioned two specific lines are "double" redundant.
Are my assumptions correct?
Your assumption is incorrect. The
inactivekeyword means just what it says: the entry in question is inactive, disabled, not in use, ignored by the packet processing.The purpose of these two lines is to have something in place for a quick investigation. If an administrator feels the need to trace all packets through that ACL she can just remove the
inactiveattribute from the firstaccess-listentry and the ASA will permit and log all arriving IP packets. When the investigation is complete she will put theinactiveback in and the original ruleset will be in effect again.