most of my interface specific ACLs are the same - with only the last few lines be different from interface to interface. however, i still have to create a mostly duplicate ACL for each interface.
i know there is the global access rule which is applied as an ingress rule on all interfaces. i thought about using the global access rules to permit traffic that every computer would need regardless of which interface it is connected to (e.g. DNS, AD, NTP, SMTP, RDP, etc), and use the interface specific rules to permit "special" traffic on each interface (e.g. computers connected to the HR interface get access to HR DB Server).
one problem i see with this setup is that interface specific rules are checked before the global rules, but there are a LOT more "hits" on the rules that are common for each interface (and those are the rules i want to move into the global rules section).
wouldn't this setup create a performance problem?
is there a different way to share ACLs on an multiple interfaces on the ASA (so i don't have to create a duplicate ACL for each interface).
Unfortunately, there is no way to change this behavior. This is by design since interface-specific ACLs need to take precedence over the global rules. However, I don't think you will notice any performance difference, especially if your interface ACL is not very complex. ACLs are not processed linearly so although I have not tested this case, the performance difference between putting everything in an interface ACL versus sharing rules across a global ACL and also checking a few interface rules should be negligible.
To add mrober2's suggestion, unless the ACLs are absurdly long (more than 10K rules and more depending on ASA model), there is no performance impact due to ACL evaluation. Note that packets that do have an existing connection are not checked against ACLs as it happens on the routers..
my asa configuration, if put into a txt file, is 150 kBytes in size. each interface has about 75 rules with nested object groups for both networks and ports.
i am concerned about the performance with the implementation of global access list - because much of the interface specific acl contains rules that would get hit once a day and some would get hit once a month. at the same time, virtually all rules in the global acl, which gets check after the interface specific acl, are getting hit much more frequently. i just checked, within the past 5 minutes, the global rule that permits DNS traffic got hit 12820 times.
but for the asa to get to the DNS rule in the global acl, it wasted lots of cpu cycles in the interface specific acl. i guess it would be better, to have another global acl that is processed before interface specific acls. or give admins the ability to customize how the existing global acl is processed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...