Global ACL and ASDM 6.4.1

plao · ‎06-27-2011

Hi

I understand that if there are rules defined in the Global ACL, all the interfaces implicit permit (from high to low sec level) will be removed automatically.

What if, there are no rules defined in the Global ACL, and we have an interface ACL configured, will there still be the implicit deny any any on the interface ACL?

Currently, on my ASDM, I don't see the implicit deny any any on the interface ACL anymore. I just always see the implicit deny any any on the global ACL even without any rules defined in the Global ACL.

Thanks

Allen P Chen · ‎06-27-2011

Hello,

There is an implicity "deny ip any any" at the end of every ACL on the ASA. This is mentioned here:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_overview.html#wp1077565

Hope this helps.

plao · ‎06-27-2011

yes..in pre 8-3 releases, I see the implicity "deny ip any any" at the end of the inteface ACL in ASDM

With 8.3 and later, I con't see the implicity "deny ip any any" at the end of the inteface ACL in ASDM anymore. I only see the implicity "deny ip any any" for the global rule, even if I have not added any ACE in the global rule

Thanks

pat

Allen P Chen · ‎06-27-2011

Hello,

The implicit deny ip any any still exists in all ACLs in software version 8.3 and above.

Hope this helps.