https://community.cisco.com/t5/network-security/global-acl-query-does-not-work-as-documented/m-p/2985041#M147808 <P>Hi,</P> <P></P> <P>When you apply the global ACL, the implicit deny that you had on any other ACL will be moving to be at the end of the global ACL. But, any explicit deny will not be moved, it will remain on the other ACLs. Also, the order of matching will still start from the top of the other ACL applied, in your example, the check order will start on ACL outside_in from the top, as usual, if not match&nbsp;is found on outside_in ACL, then it will start checking from the top on the global ACL, if no match is found the implicit deny on the global ACL will be applied and the traffic will be dropped. The easiest way to think about the global ACL is that it will be appended to any other ACL applied on an interface. In your case, it has been appended to the ACL outside_in, like if the ACL outside_in has extended its lines. Also please remember that global ACL is applied in inbound direction.</P> <P></P> <P>Regards,</P> <P>Aref</P> Fri, 13 Jan 2017 00:13:00 GMT Aref Alsouqi 2017-01-13T00:13:00Z https://community.cisco.com/t5/network-security/global-acl-query-does-not-work-as-documented/m-p/2985039#M147806 <P>Hi<BR /> <BR /> I was studying about global acl and created a small lab 3 routers , one asa,<BR /> <BR /> &nbsp;&nbsp;&nbsp;&nbsp;R2(DMZ)<BR /> &nbsp;&nbsp;^<BR /> (INSIDE)R3&gt;ASA&gt;R1 (OUTSIDE)<BR /> <BR /> Its from INE security video - 80<BR /> <BR /> have only 2 access-groups as of now outside_in and one global acl global_in<BR /> <BR /> documentation says once we have a global acl, the effect of interface specific ACL's explicity deny ip any goes. and global acl takes precendence. however i tested on gns3. it is still taking outside interface acl and not taking global acl for something i am not allowing through both acls.<BR /> <BR /> an output from logging is<BR /> <BR /> %ASA-4-106023: Deny tcp src outside:136.1.49.1/38389 dst dmz:136.1.59.2/23 by access-group "outside_in" [0x0, 0x0]<BR /> %ASA-4-106023: Deny tcp src outside:136.1.49.1/38389 dst dmz:136.1.59.2/23 by access-group "outside_in" [0x0, 0x0]<BR /> <BR /> however i was expecting the access-group should be global.<BR /> <BR /> Assistance appreciated. Thanks</P> Tue, 12 Mar 2019 08:46:09 GMT https://community.cisco.com/t5/network-security/global-acl-query-does-not-work-as-documented/m-p/2985039#M147806 himanshujain2009 2019-03-12T08:46:09Z https://community.cisco.com/t5/network-security/global-acl-query-does-not-work-as-documented/m-p/2985040#M147807 <P>Please post show run access-l outside_in , show run access-l global_in, show run access-g</P> <P></P> <P>Also, please check packet-trace to see where is the traffic getting dropped exactly.</P> Thu, 12 Jan 2017 06:12:44 GMT https://community.cisco.com/t5/network-security/global-acl-query-does-not-work-as-documented/m-p/2985040#M147807 Mohammed al Baqari 2017-01-12T06:12:44Z https://community.cisco.com/t5/network-security/global-acl-query-does-not-work-as-documented/m-p/2985041#M147808 <P>Hi,</P> <P></P> <P>When you apply the global ACL, the implicit deny that you had on any other ACL will be moving to be at the end of the global ACL. But, any explicit deny will not be moved, it will remain on the other ACLs. Also, the order of matching will still start from the top of the other ACL applied, in your example, the check order will start on ACL outside_in from the top, as usual, if not match&nbsp;is found on outside_in ACL, then it will start checking from the top on the global ACL, if no match is found the implicit deny on the global ACL will be applied and the traffic will be dropped. The easiest way to think about the global ACL is that it will be appended to any other ACL applied on an interface. In your case, it has been appended to the ACL outside_in, like if the ACL outside_in has extended its lines. Also please remember that global ACL is applied in inbound direction.</P> <P></P> <P>Regards,</P> <P>Aref</P> Fri, 13 Jan 2017 00:13:00 GMT https://community.cisco.com/t5/network-security/global-acl-query-does-not-work-as-documented/m-p/2985041#M147808 Aref Alsouqi 2017-01-13T00:13:00Z