A question about ASA 8.3 global ACLs against interface ACLs

Answered Question
Jun 10th, 2010
User Badges:

Hello Cisco Experts,


I have a question about the Global ACLs feature introduced in ASA 8.3.


Which ACLs are match first, Global ACLs or the regular interface-base ACLs?


As I understood, if both Blobal and interface-base ACLs exist in the policy, the firewall will try to match (incoming/outgoing) traffic against the interface-base ACLs and if no match is found then the firewall tries  to match the traffic against the Blobal ACLs.


is that correct?



thank you

Correct Answer by edadios about 7 years 1 month ago

It matches interface acl first before global.


Here is the documentation for your reference :


http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_rules.html#wp1083595


####

You can configure global access rules in  conjunction with interface access rules, in which case, the specific  interface access rules are always processed before the general global  access rules.

####

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
edadios Thu, 06/10/2010 - 06:03
User Badges:
  • Silver, 250 points or more

It matches interface acl first before global.


Here is the documentation for your reference :


http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_rules.html#wp1083595


####

You can configure global access rules in  conjunction with interface access rules, in which case, the specific  interface access rules are always processed before the general global  access rules.

####

Actions

This Discussion