Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Order of Interface and Global ACL

Hi Everyone,

Need to confirm if order of ACL  marked as red in number 3 is true??

The Cisco ASA security appliance uses the following order to match access rules when only interface ACLs are configured:

  1. Interface access list rules
  2. Implicit deny ip any any interface access list rule

The Cisco ASA security appliance uses the following order to match access rules when both interface ACLs and the global ACL are configured:

  1. Interface access list rules
  2. Global access list rules
  3. Implicit deny ip any any global access list rules???????????????????????

Regards

Mahesh

2 ACCEPTED SOLUTIONS

Accepted Solutions

Order of Interface and Global ACL

Hello Mahesh,

In this case we have 2 access-group

One specific (applied to an interface)

One global (applied to all of the interfaces of the ASA)

Which goes first:

The most specific (the one applied to the interface)

If there is no ACL applied to an interface then the less specific takes place (global) and that's it basically,

The implicit deny will be set on both of them.

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Order of Interface and Global ACL

Hello Mahesh,

Here is the thing:

  1. If we have an ACL applied to "X" interface and there is no permit statement  for that trafficthen that traffic will be denied (Implicit deny at the end) the Global will never be checked.
  2. If we dont have any ACL applied to "X" interface and we have a global ACL, then we will check that, if there is a permit statement that matches the traffic we are good, otherwise Implicit deny drop again.

Let me know if you got it,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
4 REPLIES

Order of Interface and Global ACL

Hello Mahesh,

In this case we have 2 access-group

One specific (applied to an interface)

One global (applied to all of the interfaces of the ASA)

Which goes first:

The most specific (the one applied to the interface)

If there is no ACL applied to an interface then the less specific takes place (global) and that's it basically,

The implicit deny will be set on both of them.

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Order of Interface and Global ACL

Hi Julio,

So does this mean that if Global ACL is applied to ASA   then the order will be

1>interface ACL

2>Global ACL

now if we have no match there we know by default it is implicit deny ip any any.

So this implicit will be global or interface ACL?

Regards

MAhesh

Order of Interface and Global ACL

Hello Mahesh,

Here is the thing:

  1. If we have an ACL applied to "X" interface and there is no permit statement  for that trafficthen that traffic will be denied (Implicit deny at the end) the Global will never be checked.
  2. If we dont have any ACL applied to "X" interface and we have a global ACL, then we will check that, if there is a permit statement that matches the traffic we are good, otherwise Implicit deny drop again.

Let me know if you got it,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Order of Interface and Global ACL

Hi Julio,

Got it now.

Best regards

Mahesh

229
Views
0
Helpful
4
Replies