Cisco ASA: Assign same rule sets to multiple interfaces

JPavonM · ‎06-18-2014

Hi guys,

We want to connect to physical interfaces from ASA to each Nexus core, so is there any possibility to assign same rule set to both interfaces simultaneously? (a kind of zone aggregation).

Regards.

Jesus

SANTHOSHKUMAR SARAVANAN · ‎06-18-2014

Hi

What is Your ASA Code running on your ASA appliance , From ASA code 8.3 you can have global access rule .

lobal access rules.

8.3(1)

Global access rules were introduced.

The following command was modified: access-group.

Interface access rules are bound to any interface at the time of their creation. Without binding them to an interface, you can not create them. This differs from the Command Line example. With CLI, you first create the access list with the access listcommand, and then bind this access list to an interface with the access-group command. ASDM 6.3 and later, the access list is created and bound to an interface as a single task. This applies to the traffic flowing through that specific interface only.

Global access rules are not bound to any interface. They can be configured through the ACL Manager tab in the ASDM and are applied to the global ingress traffic. They are implemented when there is a match based on the source, the destination, and the protocol type. These rules are not replicated on each interface, so they save memory space.

When both these rules are to be implemented, interface access rules normally takes the precedence over the global access rules.

HTH

Sandy

JPavonM · ‎06-18-2014

Hi Sandy and thank you for the information,

I have in mind to apply access-group sentence over the two interfaces, inside1 and inside2, with the same access list set, but I think global access rules can be as good as is, as they only apply to source and destination without taken care of the incoming interface.

I will update the post with the result in short.

Jesus

Nikolay Pestov · ‎08-09-2016

Hello,

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/acl_extended.html

Information About Extended Access Lists

Access lists are used to control network access or to specify traffic for many features to act upon. An extended access list is made up of one or more access control entries (ACE) in which you can specify the line number to insert the ACE, the source and destination addresses, and, depending upon the ACE type, the protocol, the ports (for TCP or UDP), or the IPCMP type (for ICMP). You can identify all of these parameters within the access-list command, or you can use object groups for each parameter. This section describes how to identify the parameters within the command. To simplify access lists with object groups, see Chapter 16 "Configuring Object Groups."

For TCP and UDP connections for both routed and transparent mode, you do not need an access list to allow returning traffic because the security appliance allows all returning traffic for established bidirectional connections. For connectionless protocols such as ICMP, however, the security appliance establishes unidirectional sessions, so you either need access lists to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections.

You can apply only one access list of each type (extended and EtherType) to each direction of an interface. You can apply the same access lists on multiple interfaces.