Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3121
Views
5
Helpful
3
Replies

Adding Global Deny Any Rule With Logging

Go to solution
Nathan Hawkins
Level 1
Level 1

‎03-05-2013 06:21 AM - edited ‎03-11-2019 06:10 PM

Is there a simple way to add an explicit Deny Any Any rule (with logging enabled) globally applied to all interfaces (with the assumption it goes to the bottom of the Access-List)?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Nathan Hawkins

‎03-07-2013 11:25 PM

Hi,

You use a "access-group" configuration like with the interface ACL

"access-group global"

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-05-2013 07:19 AM

Hi,

ASA has the possibility from 8.3 software level onwards to use "global" ACL that is attached globally for every interfaces ingress direction.

According to Cisco documentation any interface ACL will override the "global" ACL. So I would imagine that you would have to have interface ACL for the ingress direction of each interface and then a "global" ACL with only "deny ip any any" or "deny ip any any log" to which every connection that didnt match interface ACL would "drop" to.

Personally I have never started using "global" ACL. I simply like the interface based ACLs and I have no reason to change. Therefore I would personally use a separate "deny ip any any" at the bottom of every interface ACL. When you add it for the first time it naturally goes to the bottom of each ACL. Adding more rules to the ACL later would require you to add them in between with "line" number parameter.

Maybe I'll do a simple test for this on my home ASA soon to confirm that the operation is as mentioned above.

Heres a quote from Cisco ASA Command Reference

Usage Guidelines for Global Rules
The access-group global command applies a single set of global rules on all traffic, no matter which
interface the traffic arrives at the ASA.
Global rules for the access-group global command support extended access lists only.
All global rules apply only to traffic in the ingress (input) direction. Global rules do not support egress
(output) traffic.
Global rules for access-group global do not support the control-plane nor the per-user-override
options that are supported in interface-specific access rules.
If global rules are configured in conjunction with interface access rules, then the interface access rule,
which is specific, is processed before the global access rule, which is general.

- Jouni

Go to solution
Nathan Hawkins
Level 1
Level 1
In response to Jouni Forss

‎03-07-2013 04:51 PM

Ok, I've created said "global" access-list, but how do you apply it globally?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Nathan Hawkins

‎03-07-2013 11:25 PM

Hi,

You use a "access-group" configuration like with the interface ACL

"access-group global"

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card