All Cisco-Network Study Notes: TurboACLs

TurboACLs

TurboACLs are a new affection in PIX firewall software adaptation 6.2.The general

principal abaft TurboACLs is that a continued or circuitous admission account is compiled, or

indexed, to accredit faster processing of the admission list.

TurboACLs do not acceleration up abbreviate admission lists.The PIX will not accredit this

feature on an admission account unless it is over 18 lines.With best admission lists, the

TurboACL affection creates an basis (something like that in a book) that enables

the PIX to action the continued admission account added quickly.

www.syngress.com

Figure 3.5 A Port Redirection Example

Port Redirection Mappings

10.1.1.1

172.16.1.1 172.16.1.2 172.16.1.3 172.16.1.4

80 - TCP 23 - TCP 80 - TCP 21 - TCP

Client opens an ftp affair with

10.1.1.1

Client opens a telnet affair with

10.1.1.1

Client opens an http affair with

10.1.1.1

Client opens an http affair on port

8080 with 10.1.1.1

Port Private IP Port Proto.

21 172.16.1.4 21 TCP

23 172.16.1.2 23

80 172.16.1.1 80

8080 172.16.1.3 80

TCP

3 2 4 1

Passing Traffic • Chapter 3 117

The basis created by a TurboACL consumes a fair bulk of resources. For

this reason, Cisco recommends that TurboACLs should not be configured on

anything lower than a 525 alternation firewall.To accredit the TurboACL affection on all

access lists of the PIX, use the access-list aggregate command, as shown:

PIX1(config)# access-list compiled

To verify that the TurboACLs are angry on, affair a appearance access-list command:

PIX1(config)# appearance access-list

access-list compiled

access-list inside_public turbo-configured; 3 elements

access-list inside_public admittance ip 10.1.1.0 255.255.255.0 any (hitcnt=0)

access-list inside_public admittance ip 10.1.2.0 255.255.255.0 any (hitcnt=0)

access-list inside_public admittance ip 10.1.3.0 255.255.255.0 any (hitcnt=0)

If you accept not to accredit them at a all-around level,TurboACLs can be turned

on and off for alone admission lists.This affection can be advantageous if you alone accept a

few admission lists that charge to be optimized.To configure a distinct admission account to use

the TurboACL feature, the syntax is:

access-list compiled

If a PIX has added than one admission list, and alone admission lists activated to the outside

interface charge the TurboACL feature, about-face it off except on the alfresco interface

shown:

PIX1(config)# no access-list compiled

PIX1(config)# access-list outside_in compiled