Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
508
Views
0
Helpful
6
Replies

ASA Firewall

rajeshcv49
Level 1
Level 1

‎12-19-2015 07:07 AM - edited ‎03-12-2019 12:03 AM

Hi All,

ASA Firewall Packet flow,

source address 10.1.1.1 destnation address 192.168.1.1, In firewall acl entry i allowed icmp for 10.1.1.1 to 192.168.1.1, but in global-policy if i drop the icmp packets. Can ping 10.1.1.1 to 192.168.1.1?

Labels:
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎12-21-2015 08:45 AM

You can configure global access rules in conjunction with interface access rules, in which case, the specific interface access rules are always processed before the general global access rules.

0 Helpful

Cisco Freak
Level 4
Level 4
In response to Collin Clark

‎12-21-2015 01:35 PM

If a packet is permitted in the specific interface rule, but denied in the global policy, will the packet be permitted or denied?

CF

0 Helpful

Shivapramod M
Level 1
Level 1
In response to Cisco Freak

‎12-21-2015 06:43 PM

Hi,

As Collin said, it always look for the interface access list first and then only it will look for the global.

So ideally the interface access list should allow the traffic if it matches.

Thanks,

Shivapramod M

0 Helpful

Cisco Freak
Level 4
Level 4
In response to Shivapramod M

‎12-22-2015 10:35 AM

So anything that is permitted in the interface access-list will not be checked against the global policy. Am I right?

CF

0 Helpful

rajeshcv49
Level 1
Level 1
In response to Cisco Freak

‎12-22-2015 07:52 PM

Yes, Your right

0 Helpful

rajeshcv49
Level 1
Level 1
In response to Collin Clark

‎12-21-2015 07:23 PM

Thank you Collin Clark.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card