Applying ACL globally

cevallosw — Mon, 11 Mar 2019 22:55:27 GMT

I have a question that I hope someone can clarify ... I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACL ..

interface GigabitEthernet0/1

nameif internet-outside

security-level 0

ip address X.X.X.X 255.255.255.0 standby X.X.X.X!

interface GigabitEthernet0/2

nameif internet-dmz

security-level 10

ip address 10.69.201.X 255.255.255.0 standby 10.69.201.X

interface TenGigabitEthernet0/8.129

nameif core-inside

security-level 100

ip address 10.69.129.X 255.255.255.0 standby 10.69.129.X

interface TenGigabitEthernet0/9.130

nameif VLAN130

security-level 50

ip address 10.69.130.X 255.255.255.0 standby 10.69.130.X

interface TenGigabitEthernet0/9.134

nameif VLAN134

security-level 50

ip address 10.69.134.X 255.255.255.0 standby 10.69.134.X

interface TenGigabitEthernet0/9.136

nameif VLAN136

security-level 50

ip address 10.69.136.X 255.255.255.0 standby 10.69.136.X

interface TenGigabitEthernet0/9.140

nameif VLAN140

security-level 50

ip address 10.69.140.X 255.255.255.0 standby 10.69.140.X

ACL

access-list wwy-legacy remark Citrix Communications

access-list wwy-legacy extended permit ip object-group All-Citrix object-group All-Citrix

access-list wwy-legacy remark Check Point Firewall MGMT

access-list wwy-legacy extended permit tcp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-tcp

access-list wwy-legacy extended permit udp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-udp

access-list wwy-legacy remark QUALYS Scanner Access

access-list wwy-legacy extended permit ip object-group qualys-scanners any

access-list wwy-legacy extended permit tcp object-group CN_HQ_NET host 10.69.130.12 eq 8080

access-list wwy-legacy remark ISX-Solorwinds

access-list wwy-legacy extended permit udp host 10.121.137.92 any object-group SNMP-mgmt-udp

access-list wwy-legacy extended permit icmp host 10.121.137.92 any

access-list wwy-legacy extended permit icmp any host 10.121.137.92

access-list wwy-legacy extended permit udp any host 10.121.137.92 object-group SNMP-mgmt-udp

access-list wwy-legacy remark citrix access to QA Leo systems

access-list wwy-legacy extended permit tcp object-group vmww-grp-2 object-group vmww-grp-1 eq www

access-list wwy-legacy remark EDI-Outbound

access-list wwy-legacy extended permit tcp host 10.69.130.68 host 198.65.112.233 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.66 host 198.65.112.233 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.68 host 38.96.217.8 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.69 host 38.96.217.8 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.68 host 184.106.46.199 eq ssh

access-list wwy-legacy extended permit tcp host 10.69.130.69 host 184.106.46.199 eq ssh

access-list wwy-legacy remark Security

access-list wwy-legacy extended permit tcp object-group CP-Firewalls object-group External-ACS object-group security-svc-tcp

access-list wwy-legacy extended permit udp object-group CP-Firewalls object-group External-ACS object-group security-svc-udp

access-list wwy-legacy extended permit udp object-group Private_Addresses object-group External-ACS object-group security-svc-udp

access-list wwy-legacy extended permit tcp object-group Private_Addresses object-group External-ACS object-group security-svc-tcp

access-list wwy-legacy extended permit tcp object-group Private-Addresses object-group External-ACS object-group security-svc-tcp

access-list wwy-legacy extended permit udp object-group Private-Addresses object-group External-ACS object-group security-svc-udp

access-list wwy-legacy remark EDI

access-list wwy-legacy extended permit ip object-group Primary_EDI_Servers object-group Primary_EDI_Servers

access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals object-group Primary_EDI_Servers object-group EDI-Common_Inbound_tcp

access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals host 10.69.201.88 object-group EDI-Common_Inbound_tcp

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_tcp

access-list wwy-legacy extended permit udp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_udp

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq ssh

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 10022

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2223

access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2224

access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq ssh

access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 10022

access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2223

access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2224

access-list outside-acl-01 extended deny ip any any

access-group outside-acl-01 in interface internet-outside

Re: Applying ACL globally

Jouni Forss — Wed, 18 Apr 2012 16:00:58 GMT

Hi,

Beginning from 8.3(1) you should be able to use a single access-list to control traffic/connection.

It still uses the "access-group" command to "attach" the access-list as a global access-list

command format is:

access-group global

Just out of interest, are you moving to ASA from some other product or why would you want to use one global access-list? Personally I could never think of changing to global access-lists. I guess thats probably due to the fact that I have used the access-lists attached to certain interface and direction for so long.

- Jouni

Applying ACL globally

cevallosw — Wed, 18 Apr 2012 17:53:23 GMT

Jouni ,

Thank you for the information which I will suggest them to add it .. Yes , this is a completed product migration from IPSO checkpoint NGXR65 to ASA5585X Version 8.4(3) .. I believe the reasoning behind using it as global was that each of the TenGig 0/9 subinterfaces use the same ACL ...

topic Applying ACL globally in Network Security

Applying ACL globally

Re: Applying ACL globally

Applying ACL globally