https://community.cisco.com/t5/network-security/adding-global-deny-any-rule-with-logging/m-p/2193791#M360761 <HTML><HEAD></HEAD><BODY><P>Ok, I've created said "global" access-list, but how do you apply it globally?</P></BODY></HTML> Fri, 08 Mar 2013 00:51:29 GMT Nathan Hawkins 2013-03-08T00:51:29Z https://community.cisco.com/t5/network-security/adding-global-deny-any-rule-with-logging/m-p/2193789#M360756 <P>Is there a simple way to add an explicit Deny Any Any rule (with logging enabled) globally applied to all interfaces (with the assumption it goes to the bottom of the Access-List)?</P> Tue, 12 Mar 2019 01:10:07 GMT https://community.cisco.com/t5/network-security/adding-global-deny-any-rule-with-logging/m-p/2193789#M360756 Nathan Hawkins 2019-03-12T01:10:07Z https://community.cisco.com/t5/network-security/adding-global-deny-any-rule-with-logging/m-p/2193790#M360759 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>ASA has the possibility from 8.3 software level onwards to use "global" ACL that is attached globally for every interfaces ingress direction.</P><P></P><P>According to Cisco documentation any interface ACL will override the "global" ACL. So I would imagine that you would have to have interface ACL for the ingress direction of each interface and then a "global" ACL with only "deny ip any any" or "deny ip any any log" to which every connection that didnt match interface ACL would "drop" to.</P><P></P><P>Personally I have never started using "global" ACL. I simply like the interface based ACLs and I have no reason to change. Therefore I would personally use a separate "deny ip any any" at the bottom of every interface ACL. When you add it for the first time it naturally goes to the bottom of each ACL. Adding more rules to the ACL later would require you to add them in between with "line" number parameter.</P><P></P><P>Maybe I'll do a simple test for this on my home ASA soon to confirm that the operation is as mentioned above.</P><P></P><P>Heres a quote from Cisco ASA Command Reference</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"><P><STRONG>Usage Guidelines for Global Rules</STRONG></P><P>The access-group global command applies a single set of global rules on all traffic, no matter which</P><P>interface the traffic arrives at the ASA.</P><P>Global rules for the access-group global command support extended access lists only.</P><P>All global rules apply only to traffic in the ingress (input) direction. Global rules do not support egress</P><P>(output) traffic.</P><P>Global rules for access-group global do not support the control-plane nor the per-user-override</P><P>options that are supported in interface-specific access rules.</P><P>If global rules are configured in conjunction with interface access rules, then the interface access rule,</P><P>which is specific, is processed before the global access rule, which is general.</P></PRE><P></P><P>- Jouni</P></BODY></HTML> Tue, 05 Mar 2013 15:19:10 GMT https://community.cisco.com/t5/network-security/adding-global-deny-any-rule-with-logging/m-p/2193790#M360759 Jouni Forss 2013-03-05T15:19:10Z https://community.cisco.com/t5/network-security/adding-global-deny-any-rule-with-logging/m-p/2193791#M360761 <HTML><HEAD></HEAD><BODY><P>Ok, I've created said "global" access-list, but how do you apply it globally?</P></BODY></HTML> Fri, 08 Mar 2013 00:51:29 GMT https://community.cisco.com/t5/network-security/adding-global-deny-any-rule-with-logging/m-p/2193791#M360761 Nathan Hawkins 2013-03-08T00:51:29Z https://community.cisco.com/t5/network-security/adding-global-deny-any-rule-with-logging/m-p/2193792#M360762 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You use a "access-group" configuration like with the interface ACL</P><P></P><P><STRONG>"access-group <ACL name=""> global"</ACL></STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Fri, 08 Mar 2013 07:25:59 GMT https://community.cisco.com/t5/network-security/adding-global-deny-any-rule-with-logging/m-p/2193792#M360762 Jouni Forss 2013-03-08T07:25:59Z