Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA 8.3 - Interface security level/global access rules

Hi,

Verifying the operation of the ASA when configured with Global access rules.  Does the global rule overide the interface security levels?  According to the ASA order of operations, the interface specific rule get's processed first and then the global rules, but It does not say anything about interface security levels.  Observing an ASA in production that has global rules configured I see that an interface with a security level of 50 that has no rules applied to it, passing traffic to the outside interface (security level 0) drops the traffic.  Syslog shows that it hits the global access rule implicit deny.  Does the implicit permit any to any less secure interface not apply?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 8.3 - Interface security level/global access rules

Hello Aaron,

That is correct, you will need to permit the traffic on the global rule!!

This because the global will be applied to each single interface so as an example a host on a 100 security level going to a 0 security level host will be permited to send traffic but if you placed an acl on the 100 security level and deny that connection you will not be able to make it!

Same thing happens here, you are overriding the security level benefit by the ACL.

Hope this helps.

Julio

Rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
7 REPLIES

ASA 8.3 - Interface security level/global access rules

Using Global Access Rules

Global access rules allow you to apply a global rule to ingress traffic without the need to specify an interface to which the rule must be applied. Using global access rules provides the following benefits:

When migrating to the adaptive security appliance from a competitor appliance, you can maintain a global access rule policy instead of needing to apply an interface-specific policy on each interface.

Global access control policies are not replicated on each interface, so they save memory space.

Global access rules provides flexibility in defining a security policy. You do not need to specify which interface a packet comes in on, as long as it matches the source and destination IP addresses.

Global access rules use the same mtrie and stride tree as interface-specific access rules, so scalability and performance for global rules are the same as for interface-specific rules.

You can configure global access rules in conjunction with interface access rules, in which case, the specific interface access rules are always processed before the general global access rules.

Thanks

Ajay

New Member

ASA 8.3 - Interface security level/global access rules

Thanks for the reply, and I have already read that particular documentation but it does not directly answer the question.

ASA 8.3 - Interface security level/global access rules

Sorry for that when you say global rule or rules applied on interface level they have nothing to do with security level. Its just way you control the traffic . Consider it same way but its not applied to interface thats why called global rules.

Thanks

Ajay

New Member

ASA 8.3 - Interface security level/global access rules

I understand the operation of Global Rules.  The issue is; with global rules in place and without defining rules for a specific interface traffic does not follow the implicit permit for higher to lower interface security level.  Instead it is getting denied on the implicit deny in the Global rule.  Another example would be if you had a host in the "DMZ" with security level of 50 on that interface.  That host would not be permitted to talk to another host on lower level security interface without explicitly permitting it in an Interface ACL, or the Global ACL.  Thus, it appears that if you define Global rules, they override any interface security levels.

ASA 8.3 - Interface security level/global access rules

Hello Aaron,

That is correct, you will need to permit the traffic on the global rule!!

This because the global will be applied to each single interface so as an example a host on a 100 security level going to a 0 security level host will be permited to send traffic but if you placed an acl on the 100 security level and deny that connection you will not be able to make it!

Same thing happens here, you are overriding the security level benefit by the ACL.

Hope this helps.

Julio

Rate helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA 8.3 - Interface security level/global access rules

Great!  Thanks Julio, that's exactly what I was looking for.

Aaron

ASA 8.3 - Interface security level/global access rules

Hello Aaron,

Glad I could help!

Have a great day

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1646
Views
0
Helpful
7
Replies
CreatePlease to create content