03-29-2016 09:03 PM - edited 03-12-2019 12:33 AM
Hello Team,
As now Cisco ASA supports Global ACL wouldn't be this advisable to use it rather than using Interface based ACL ?
Can someone please advise me positive and negative parts of it?
I think once we use global ACL this is more like a Checkpoint firewall and make our configuration and management easy.
I have got firewall running in multiple context ( just have one context) , this is in Transparent mode, I am still in the process of configuring it, hence need your inputs to finalize the policies.
Thanks,
Prashant
Solved! Go to Solution.
03-30-2016 03:22 AM
Prashant,
If your queries have been answered, please mark the thread as answered to benefit other community members.
Regards,
Dinesh Moudgil
03-29-2016 09:25 PM
Prashant,
Global access rules allow you to apply a global rule to ingress traffic without the need to specify an interface to which the rule must be applied. Using global access rules provides the following benefits:
•When migrating to the adaptive security appliance from a competitor appliance, you can maintain a global access rule policy instead of
•Global access control policies are not replicated on each interface, so they save memory space.
•Global access rules
•Global access rules use the same
You can configure global access rules in conjunction with interface access rules, in which case, the specific interface access rules are always processed before the general global access rules.
Ref :
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/access_rules.html#wp1083595
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-29-2016 10:20 PM
Hi Dinesh,
Thanks!
However, am aware about these benefits, I wanted to know since global ACL is far better than the interface one then why and on what cases one should be using interface ACLs ?
I am sure there should be some use of them else Cisco would have stopped supporting Interface based policies - just a thought.
03-29-2016 10:32 PM
Primarily customers use interface
In essence, use interface access-list in those cases where the traffic is to be permitted and denied and is part of only that interface.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-29-2016 10:44 PM
Thanks Dinesh! So can we say that by using global ACl we can achieve everything that we are gaining from the interface based, rather Global acls are also useful from system resource perspective as they are using less system memory.
In Summary- can we conclude that just global based policies are enough in the production network ?
03-29-2016 10:53 PM
In Summary- can we conclude that just global based policies are enough in the production network ?
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-29-2016 10:57 PM
Thanks Again!
However, I am not fully convinced with it, just to give an example here, Checkpoint doesn't has any concept of interface based ACL still that has been the reliable firewall.
My thought- Cisco Introduced Global ACL just to make management/configuration easier and might they get rid off interface based ACLs soon.
03-29-2016 11:04 PM
There is an architectural difference between how Checkpoint and Cisco's firewall works. Some feature which is stable and working on one might not be the optimum solution on the other.
As far as Cisco deprecating the interface ACLs, I don't think it is going to happen any soon.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-29-2016 11:14 PM
Thanks!
03-30-2016 03:22 AM
Prashant,
If your queries have been answered, please mark the thread as answered to benefit other community members.
Regards,
Dinesh Moudgil
10-14-2019 11:28 AM
11-07-2019 07:53 AM
Hi Florin,
as the global rules are parsed after the interface-specific ones, AND it only permits inbound rules, you need to implement it into the interface-specific ACLs. I think your emergency change is over and you have implemented it that way.
BR
Axel
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
No, global policies are not enough as it ideally does not cover all the restrictions that you will need to have on the ASAs.
In real work scenarios, you will have different traffic restrictions based on interfaces.
So , to sum up, customers use the combination of global ACLs and interface ACLs and never rely on global ACLs alone.