https://community.cisco.com/t5/network-security/asa-behavior-access-lists/m-p/2554865#M236834 <P>If you use the global access list only, you would need to configure rules in both directions:</P><P>access-list test extended permit ip host 1.1.1.2 host 2.2.2.1<BR />access-list test extended permit ip host 2.2.2.1 host 1.1.1.2</P><P>access-group test global</P><P>So yes, the security levels will be disabled.</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Sat, 05 Jul 2014 08:59:53 GMT Marius Gunnerud 2014-07-05T08:59:53Z https://community.cisco.com/t5/network-security/asa-behavior-access-lists/m-p/2554864#M236833 <P>Hi All,</P><P>&nbsp;</P><P>From What I have learnt regarding access lists, if there is a global access list, it will be checked after checking the interface access list and the "deny ip any any" will be at the end of global access list instead of at the interface.</P><P>&nbsp;</P><P>Question</P><P>When we have Global access list, the implicit rule that permits all IP traffic from high security level(say 100) to low security level(say 0) will be disabled?</P><P>&nbsp;</P><P>Kindly advise</P><P>&nbsp;</P><P>Thanks &amp; Regards</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 12 Mar 2019 04:25:36 GMT https://community.cisco.com/t5/network-security/asa-behavior-access-lists/m-p/2554864#M236833 rakeshvelagala 2019-03-12T04:25:36Z https://community.cisco.com/t5/network-security/asa-behavior-access-lists/m-p/2554865#M236834 <P>If you use the global access list only, you would need to configure rules in both directions:</P><P>access-list test extended permit ip host 1.1.1.2 host 2.2.2.1<BR />access-list test extended permit ip host 2.2.2.1 host 1.1.1.2</P><P>access-group test global</P><P>So yes, the security levels will be disabled.</P><P>--</P><P>Please remember to select a correct answer and rate helpful posts</P> Sat, 05 Jul 2014 08:59:53 GMT https://community.cisco.com/t5/network-security/asa-behavior-access-lists/m-p/2554865#M236834 Marius Gunnerud 2014-07-05T08:59:53Z