cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
295
Views
0
Helpful
2
Replies

Global ACL query , does not work as documented

Hi

I was studying about global acl and created a small lab 3 routers , one asa,

    R2(DMZ)
  ^
(INSIDE)R3>ASA>R1 (OUTSIDE)

Its from INE security video - 80

have only 2 access-groups as of now outside_in and one global acl global_in

documentation says once we have a global acl, the effect of interface specific ACL's explicity deny ip any goes. and global acl takes precendence. however i tested on gns3. it is still taking outside interface acl and not taking global acl for something i am not allowing through both acls.

an output from logging is

%ASA-4-106023: Deny tcp src outside:136.1.49.1/38389 dst dmz:136.1.59.2/23 by access-group "outside_in" [0x0, 0x0]
%ASA-4-106023: Deny tcp src outside:136.1.49.1/38389 dst dmz:136.1.59.2/23 by access-group "outside_in" [0x0, 0x0]

however i was expecting the access-group should be global.

Assistance appreciated. Thanks

2 Replies 2

Please post show run access-l outside_in , show run access-l global_in, show run access-g

Also, please check packet-trace to see where is the traffic getting dropped exactly.

Hi,

When you apply the global ACL, the implicit deny that you had on any other ACL will be moving to be at the end of the global ACL. But, any explicit deny will not be moved, it will remain on the other ACLs. Also, the order of matching will still start from the top of the other ACL applied, in your example, the check order will start on ACL outside_in from the top, as usual, if not match is found on outside_in ACL, then it will start checking from the top on the global ACL, if no match is found the implicit deny on the global ACL will be applied and the traffic will be dropped. The easiest way to think about the global ACL is that it will be appended to any other ACL applied on an interface. In your case, it has been appended to the ACL outside_in, like if the ACL outside_in has extended its lines. Also please remember that global ACL is applied in inbound direction.

Regards,

Aref

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: