Cisco ASA ACL

BHconsultants88 — Tue, 12 Mar 2019 08:47:42 GMT

Hi guys, hope someone can help.

I have an ASA with multiple interface and I wish to add an ACL that will block every interface of accessing an IP address. Is it possible to do this as one command or would I need to add an ACL for each interface?

This is what I have currently:

access-list InsideABC_access_in deny tcp any 195.14.48.12 255.255.255.255
access-list Micro_Fingers_access_in deny tcp any 195.14.48.12 255.255.255.255
access-list Hardware_Co deny tcp any 195.14.48.12 255.255.255.255
access-list DMZ_LAN_access_in deny tcp any 195.14.48.12 255.255.255.255
access-list DigiSign_access_in deny tcp any 195.14.48.12 255.255.255.255

Would I able to combine this into one line instead of specifying each interface?

Well you can always use

Pranay Prasoon — Wed, 18 Jan 2017 09:29:35 GMT

Well you can always use global ACL. However, it is not a best practice and you will need to configure carefully.

Global access list applies logically to the entire firewall in inbound direction to all interface.
If there are existing interface access lists, those will be considered first and instead of having implicit deny any any at the end of interface ALCs, the Global access list is processed and in case of non-matching rule, the implicit deny any any is used at the end of Global access list.

To create global access list using asdm open access rule, add access rule, and for interface choose -Any-

To create global access list using CLI:

#access-list GLOBAL extended permit tcp any any
#access-group GLOBAL global

ACL overrides initial traffic flow policies based on security level: 100- the most trusted and 0 – not trusted.
By default traffic from higher to lower sec level is allowed but not from lower to higher. For this type of traffic we need ACL.
Global access list are not replicated on each interface so they save memory space.

topic Cisco ASA ACL in Network Security

Cisco ASA ACL

Well you can always use