topic Thanks Vibhor,As its easier in Network Security

Global ACL vs Interface ACL

ROHIT SHARMA — Tue, 12 Mar 2019 05:54:14 GMT

Hello Everyone,

With the introduction of Global ACL in 8.3 ASA, its like Checkpoint FW now to configure rules.

I have a doubt regarding this.

Is there any disadvantage if i use only global acl in ASA? Functionally it should work fine but not sure about other aspects.

Please advise.

Can anyone help me here?

ROHIT SHARMA — Fri, 08 May 2015 12:53:45 GMT

Can anyone help me here?

Hi,Global ACL is something

Vibhor Amrodia — Fri, 08 May 2015 13:01:42 GMT

Hi,

Global ACL is something which can be used as a rule which might be used to Allow Or Deny traffic if it is not evaluated by the Interface ACL.

I don't see any disadvantage in using this ACL type as it depends on the setup and your requirement.

Most important thing you should note is , it will always be evaluated after the interface ACL.

Also , it centralizes the ACE and is easier to maintain.

Also , check this for some more important usage guidelines:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/access_rules.html#wp1120198

Thanks and Regards,

Vibhor Amrodia

Thanks Vibhor,As its easier

ROHIT SHARMA — Fri, 08 May 2015 13:05:41 GMT

Thanks Vibhor,

As its easier to work with global acl. do you think interface ACLs may soon be out of use now?

Hi,I don't think so. As i

Vibhor Amrodia — Fri, 08 May 2015 13:18:09 GMT

Hi,

I don't think so. As i pointed out , it depends on the deployment type and requirement and a lot of other factors. The global ACL if very big due to the amount rules can become difficult to manage in large deployments and would be beneficial to separate as per the interfaces.

NAT would also be a big factor in selecting the type of ACL rules.

Also , the priority is also higher than Global ACL.

The Global can only allow/deny inbound traffic. There are some requirements where the outbound traffic needs to be blocked so the interface ACL use is always required.

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

k.kroeger — Fri, 15 Jan 2016 13:25:22 GMT

Hi Vibhor,

you mentiond that global access rules are applied to traffic that is not avaluated by an interface ACL. What is about ingress traffic, comming through a VPN site to site Tunnel?

Is this Traffic avaluated by a global access Rule?

regards

kay

Global ACL is evaluated only

ROHIT SHARMA — Sat, 16 Jan 2016 06:29:45 GMT

Global ACL is evaluated only if there is no matching rule found in Interface ACL. Gloabl ACL is always ingress and traffic coming through a VPN site-site tunnel is not subjected to any ACL.

I hope it helps

rohit

Re: Global ACL vs Interface ACL

khanzaidsalim — Wed, 09 Aug 2023 10:37:00 GMT

The inbound and outbound described here are in terms of the interface. Let's say for example there's an interface gi0/4 named CAT on my ASA FW. The global ACL will only be applicable to the traffic entering through it. So all traffic coming from "CATS" will be checked by this ACL and NOT traffic going to them.
Please correct me if I am mistaken here.