06-27-2011 01:47 PM - edited 03-11-2019 01:51 PM
Hi
I understand that if there are rules defined in the Global ACL, all the interfaces implicit permit (from high to low sec level) will be removed automatically.
What if, there are no rules defined in the Global ACL, and we have an interface ACL configured, will there still be the implicit deny any any on the interface ACL?
Currently, on my ASDM, I don't see the implicit deny any any on the interface ACL anymore. I just always see the implicit deny any any on the global ACL even without any rules defined in the Global ACL.
Thanks
06-27-2011 02:11 PM
Hello,
There is an implicity "deny ip any any" at the end of every ACL on the ASA. This is mentioned here:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_overview.html#wp1077565
Hope this helps.
06-27-2011 02:43 PM
yes..in pre 8-3 releases, I see the implicity "deny ip any any" at the end of the inteface ACL in ASDM
With 8.3 and later, I con't see the implicity "deny ip any any" at the end of the inteface ACL in ASDM anymore. I only see the implicity "deny ip any any" for the global rule, even if I have not added any ACE in the global rule
Thanks
pat
06-27-2011 04:21 PM
Hello,
The implicit deny ip any any still exists in all ACLs in software version 8.3 and above.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide