Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8260
Views
12
Helpful
7
Replies

Global ACL vs Interface ACL

ROHIT SHARMA
Level 1
Level 1

‎05-07-2015 12:46 PM - edited ‎03-11-2019 10:54 PM

Hello Everyone,

With the introduction of Global ACL in 8.3 ASA, its like Checkpoint FW now to configure rules.

I have a doubt regarding this.

Is there any disadvantage if i use only global acl in ASA? Functionally it should work fine but not sure about other aspects.

Please advise.

Labels:
0 Helpful
7 Replies 7

ROHIT SHARMA
Level 1
Level 1

‎05-08-2015 05:53 AM

Can anyone help me here?

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎05-08-2015 06:01 AM

Hi,

Global ACL is something which can be used as a rule which might be used to Allow Or Deny traffic if it is not evaluated by the Interface ACL.

I don't see any disadvantage in using this ACL type as it depends on the setup and your requirement.

Most important thing you should note is , it will always be evaluated after the interface ACL.

Also , it centralizes the ACE and is easier to maintain.

Also , check this for some more important usage guidelines:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/access_rules.html#wp1120198

Thanks and Regards,

Vibhor Amrodia

0 Helpful

ROHIT SHARMA
Level 1
Level 1
In response to Vibhor Amrodia

‎05-08-2015 06:05 AM

Thanks Vibhor,

As its easier to work with global acl. do you think interface ACLs may soon be out of use now?

0 Helpful

Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to ROHIT SHARMA

‎05-08-2015 06:18 AM

Hi,

I don't think so. As i pointed out , it depends on the deployment type and requirement and a lot of other factors. The global ACL if very big due to the amount rules can become difficult to manage in large deployments and would be beneficial to separate as per the interfaces.

NAT would also be a big factor in selecting the type of ACL rules.

Also , the priority is also higher than Global ACL.

The Global can only allow/deny inbound traffic. There are some requirements where the outbound traffic needs to be blocked so the interface ACL use is always required.

Thanks and Regards,

Vibhor Amrodia

k.kroeger
Level 1
Level 1
In response to Vibhor Amrodia

‎01-15-2016 05:25 AM

Hi Vibhor,

you mentiond that global access rules are applied to traffic that is not avaluated by an interface ACL. What is about ingress traffic, comming through a VPN site to site Tunnel?

Is this Traffic avaluated by a global access Rule?

regards

kay

0 Helpful

ROHIT SHARMA
Level 1
Level 1
In response to k.kroeger

‎01-15-2016 10:29 PM

Global ACL is evaluated only if there is no matching rule found in Interface ACL. Gloabl ACL is always ingress and traffic coming through a VPN site-site tunnel is not subjected to any ACL.

I hope it helps

rohit

khanzaidsalim
Level 1
Level 1

‎08-09-2023 03:37 AM

The inbound and outbound described here are in terms of the interface. Let's say for example there's an interface gi0/4 named CAT on my ASA FW. The global ACL will only be applicable to the traffic entering through it. So all traffic coming from "CATS" will be checked by this ACL and NOT traffic going to them.
Please correct me if I am mistaken here.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card