04-18-2012 08:47 AM - edited 03-11-2019 03:55 PM
I have a question that I hope someone can clarify ... I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACL ..
interface GigabitEthernet0/1
nameif internet-outside
security-level 0
ip address X.X.X.X 255.255.255.0 standby X.X.X.X!
interface GigabitEthernet0/2
nameif internet-dmz
security-level 10
ip address 10.69.201.X 255.255.255.0 standby 10.69.201.X
interface TenGigabitEthernet0/8.129
nameif core-inside
security-level 100
ip address 10.69.129.X 255.255.255.0 standby 10.69.129.X
interface TenGigabitEthernet0/9.130
nameif VLAN130
security-level 50
ip address 10.69.130.X 255.255.255.0 standby 10.69.130.X
!
interface TenGigabitEthernet0/9.134
nameif VLAN134
security-level 50
ip address 10.69.134.X 255.255.255.0 standby 10.69.134.X
!
interface TenGigabitEthernet0/9.136
nameif VLAN136
security-level 50
ip address 10.69.136.X 255.255.255.0 standby 10.69.136.X
!
interface TenGigabitEthernet0/9.140
nameif VLAN140
security-level 50
ip address 10.69.140.X 255.255.255.0 standby 10.69.140.X
ACL
access-list wwy-legacy remark Citrix Communications
access-list wwy-legacy extended permit ip object-group All-Citrix object-group All-Citrix
access-list wwy-legacy remark Check Point Firewall MGMT
access-list wwy-legacy extended permit tcp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-tcp
access-list wwy-legacy extended permit udp object-group FW-Admins object-group CP-Firewalls object-group CP-svc-udp
access-list wwy-legacy remark QUALYS Scanner Access
access-list wwy-legacy extended permit ip object-group qualys-scanners any
access-list wwy-legacy extended permit tcp object-group CN_HQ_NET host 10.69.130.12 eq 8080
access-list wwy-legacy remark ISX-Solorwinds
access-list wwy-legacy extended permit udp host 10.121.137.92 any object-group SNMP-mgmt-udp
access-list wwy-legacy extended permit icmp host 10.121.137.92 any
access-list wwy-legacy extended permit icmp any host 10.121.137.92
access-list wwy-legacy extended permit udp any host 10.121.137.92 object-group SNMP-mgmt-udp
access-list wwy-legacy remark citrix access to QA Leo systems
access-list wwy-legacy extended permit tcp object-group vmww-grp-2 object-group vmww-grp-1 eq www
access-list wwy-legacy remark EDI-Outbound
access-list wwy-legacy extended permit tcp host 10.69.130.68 host 198.65.112.233 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.66 host 198.65.112.233 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.68 host 38.96.217.8 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.69 host 38.96.217.8 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.68 host 184.106.46.199 eq ssh
access-list wwy-legacy extended permit tcp host 10.69.130.69 host 184.106.46.199 eq ssh
access-list wwy-legacy remark Security
access-list wwy-legacy extended permit tcp object-group CP-Firewalls object-group External-ACS object-group security-svc-tcp
access-list wwy-legacy extended permit udp object-group CP-Firewalls object-group External-ACS object-group security-svc-udp
access-list wwy-legacy extended permit udp object-group Private_Addresses object-group External-ACS object-group security-svc-udp
access-list wwy-legacy extended permit tcp object-group Private_Addresses object-group External-ACS object-group security-svc-tcp
access-list wwy-legacy extended permit tcp object-group Private-Addresses object-group External-ACS object-group security-svc-tcp
access-list wwy-legacy extended permit udp object-group Private-Addresses object-group External-ACS object-group security-svc-udp
access-list wwy-legacy remark EDI
access-list wwy-legacy extended permit ip object-group Primary_EDI_Servers object-group Primary_EDI_Servers
access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals object-group Primary_EDI_Servers object-group EDI-Common_Inbound_tcp
access-list wwy-legacy extended permit tcp object-group EDI_Customer_To_Portals host 10.69.201.88 object-group EDI-Common_Inbound_tcp
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_tcp
access-list wwy-legacy extended permit udp object-group Primary_EDI_Servers object-group EDI_Customer_To_Portals object-group EDI-Common_Outbound_udp
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq ssh
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 10022
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2223
access-list wwy-legacy extended permit tcp object-group Primary_EDI_Servers object-group EDI_Dest_grp eq 2224
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq ssh
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 10022
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2223
access-list wwy-legacy extended permit tcp object-group EDI_Itanium_Servers object-group EDI_Dest_grp eq 2224
access-list outside-acl-01 extended deny ip any any
access-group outside-acl-01 in interface internet-outside
04-18-2012 09:00 AM
Hi,
Beginning from 8.3(1) you should be able to use a single access-list to control traffic/connection.
It still uses the "access-group" command to "attach" the access-list as a global access-list
command format is:
access-group
Just out of interest, are you moving to ASA from some other product or why would you want to use one global access-list? Personally I could never think of changing to global access-lists. I guess thats probably due to the fact that I have used the access-lists attached to certain interface and direction for so long.
- Jouni
04-18-2012 10:53 AM
Jouni ,
Thank you for the information which I will suggest them to add it .. Yes , this is a completed product migration from IPSO checkpoint NGXR65 to ASA5585X Version 8.4(3) .. I believe the reasoning behind using it as global was that each of the TenGig 0/9 subinterfaces use the same ACL ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide