Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Applying ACL globally

I have a question that I hope someone can clarify ... I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACL ..

interface GigabitEthernet0/1

nameif internet-outside

security-level 0

ip address X.X.X.X 255.255.255.0 standby X.X.X.X!

interface GigabitEthernet0/2

nameif internet-dmz

security-level 10

ip address 10.69.201.X 255.255.255.0 standby 10.69.201.X

interface TenGigabitEthernet0/8.129

nameif core-inside

security-level 100

ip address 10.69.129.X 255.255.255.0 standby 10.69.129.X

interface TenGigabitEthernet0/9.130

nameif VLAN130

security-level 50

ip address 10.69.130.X 255.255.255.0 standby 10.69.130.X

!

interface TenGigabitEthernet0/9.134

nameif VLAN134

security-level 50

ip address 10.69.134.X 255.255.255.0 standby 10.69.134.X

!

interface TenGigabitEthernet0/9.136

nameif VLAN136

security-level 50

ip address 10.69.136.X 255.255.255.0 standby 10.69.136.X

!

interface TenGigabitEthernet0/9.140

nameif VLAN140

security-level 50

ip address 10.69.140.X 255.255.255.0 standby 10.69.140.X

ACL

access-list wwy-legacy remark Citrix Communications

access-list wwy-legacy extended permit ip object-group All-Citrix object-group All-Citrix

access-list wwy-legacy remark Check Point Firewall MGMT

access-list wwy-legacy extended permit tcp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-tcp

access-list wwy-legacy extended permit udp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-udp

access-list wwy-legacy remark QUALYS Scanner Access

access-list wwy-legacy extended permit ip object-group qualys-scanners any

access-list wwy-legacy extended permit tcp object-group CN_HQ_NET host 10.69.130.12 eq 8080

access-list wwy-legacy remark ISX-Solorwinds

access-list wwy-legacy extended permit udp host 10.121.137.92 any object-group SNMP-mgmt-udp

access-list wwy-legacy extended permit icmp host 10.121.137.92 any

access-list wwy-legacy extended permit icmp any host 10.121.137.92

access-list wwy-legacy extended permit udp any host 10.121.137.92 object-group SNMP-mgmt-udp

access-list wwy-legacy remark citrix access to QA Leo systems

access-list wwy-legacy extended permit tcp object-group vmww-grp-2 object-group vmww-grp-1 eq www

access-list wwy-legacy remark EDI-Outbound

access-list wwy-legacy extended permit tcp host 10.69.130.68 host 198.65.112.233 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.66 host 198.65.112.233 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.68 host 38.96.217.8 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.69 host 38.96.217.8 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.68 host 184.106.46.199 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.69 host 184.106.46.199 eq ssh

access-list wwy-legacy remark Security

access-list wwy-legacy extended permit tcp object-group CP-Firewalls object-group External-ACS object-group security-svc-tcp

access-list wwy-legacy extended permit udp object-group CP-Firewalls object-group External-ACS object-group security-svc-udp

access-list wwy-legacy extended permit udp object-group Private_Addresses object-group External-ACS object-group security-svc-udp

access-list wwy-legacy extended permit tcp object-group Private_Addresses object-group External-ACS object-group security-svc-tcp

access-list wwy-legacy extended permit tcp object-group Private-Addresses object-group External-ACS object-group security-svc-tcp

access-list wwy-legacy extended permit udp object-group Private-Addresses object-group External-ACS object-group security-svc-udp

access-list wwy-legacy remark EDI

access-list wwy-legacy extended permit ip object-group Primary_EDI_Servers object-group Primary_EDI_Servers

access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals object-group Primary_EDI_Servers object-group EDI-Common_Inbound_tcp

access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals host 10.69.201.88 object-group EDI-Common_Inbound_tcp

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_tcp

access-list wwy-legacy extended permit udp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_udp

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq ssh

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 10022

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2223

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2224

access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq ssh

access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 10022

access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2223

access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2224

access-list outside-acl-01 extended deny ip any any

access-group outside-acl-01 in interface internet-outside

2 REPLIES
Super Bronze

Re: Applying ACL globally

Hi,

Beginning from 8.3(1) you should be able to use a single access-list to control traffic/connection.

It still uses the "access-group" command to "attach" the access-list as a global access-list

command format is:

access-group global

Just out of interest, are you moving to ASA from some other product or why would you want to use one global access-list? Personally I could never think of changing to global access-lists. I guess thats probably due to the fact that I have used the access-lists attached to certain interface and direction for so long.

- Jouni

New Member

Applying ACL globally

Jouni ,

            Thank you for the information which I will suggest them to add it .. Yes , this is a completed product migration from IPSO checkpoint NGXR65 to ASA5585X Version 8.4(3) ..   I believe the reasoning behind using it as global was that each of the TenGig 0/9 subinterfaces use the same ACL ... 

310
Views
0
Helpful
2
Replies
CreatePlease to create content