cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12313
Views
15
Helpful
11
Replies

Global Vs Interface Policies

Hello Team,

As now Cisco ASA supports Global ACL wouldn't be this advisable to use it rather than using Interface based ACL ?

Can someone please advise me positive and negative parts of it?

I think once we use global ACL this is more like a Checkpoint firewall and make our configuration and management easy.

I have got firewall running in multiple context ( just have one context) , this is in Transparent mode, I am still in the process of configuring it, hence need your inputs to finalize the policies.

Thanks,

Prashant

1 Accepted Solution

Accepted Solutions

Prashant,

If your queries have been answered, please mark the thread as answered to benefit other community members.

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

11 Replies 11

Dinesh Moudgil
Cisco Employee
Cisco Employee

Prashant,

Global access rules allow you to apply a global rule to ingress traffic without the need to specify an interface to which the rule must be applied. Using global access rules provides the following benefits:

•When migrating to the adaptive security appliance from a competitor appliance, you can maintain a global access rule policy instead of needing to apply an interface-specific policy on each interface.

•Global access control policies are not replicated on each interface, so they save memory space.

•Global access rules provides flexibility in defining a security policy. You do not need to specify which interface a packet comes in on, as long as it matches the source and destination IP addresses.

•Global access rules use the same mtrie and stride tree as interface-specific access rules, so scalability and performance for global rules are the same as for interface-specific rules.

You can configure global access rules in  conjunction with interface access rules, in which case, the specific  interface access rules are always processed before the general global  access rules.

Ref :
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/configuration/guide/config/access_rules.html#wp1083595

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hi Dinesh,

Thanks!

However, am aware about these benefits, I wanted to know since global ACL is far better than the interface one then why and on what cases one should be using interface ACLs ?

I am sure there should be some use of them else Cisco would have stopped supporting Interface based policies - just a thought.

Primarily customers use interface access-lists to restrict traffic specific to those interfaces and apply global access-lists to cover the common restrictions which can be applied irrespective of interfaces.

In essence, use interface access-list in those cases where the traffic is to be permitted and denied and is part of only that interface.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thanks Dinesh! So can we say that by using global ACl we can achieve everything that we are gaining from the interface based, rather Global acls are also useful from system resource perspective as they are using less system memory.

In Summary- can we conclude that just global based policies are enough in the production network ?

Prashant,.


In Summary- can we conclude that just global based policies are enough in the production network ?

No, global policies are not enough as it ideally does not cover all the restrictions that you will need to have on the ASAs.

In real work scenarios, you will have different traffic restrictions based on interfaces.
So , to sum up, customers use the combination of global ACLs and interface ACLs and never rely on global ACLs alone.


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thanks Again!

However, I am not fully convinced with it, just to give an example here, Checkpoint doesn't has any concept of interface based ACL still that has been the reliable firewall.

My thought- Cisco Introduced Global ACL just to make management/configuration easier and might they get rid off interface based ACLs soon.

 

There is an architectural difference between how Checkpoint and Cisco's firewall works. Some feature which is stable and working on one might not be the optimum solution on the other.

As far as Cisco deprecating the interface ACLs, I don't think it is going to happen any soon.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Thanks!

Prashant,

If your queries have been answered, please mark the thread as answered to benefit other community members.

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hello,

I have some additional questions about this:
- I ran a packet tracer and I could spot the ACL applied on the interface but I see no mention of the global ACL?
can you detail where is this being checked?
- let's say we have a classic ASA deployment with several interfaces acting as LAN and one WAN ; all interfaces (7xLAN + WAN) have inbound (IN direction) ACLs applied on with a deny any any statement at the end of each ACL
Now I receive today an emergency change order on which I need to apply on all LAN interfaces severall outbound allow policies. Can I use this global ACL? Bear in mind each interface ACL ends with a deny. What's the fastest way for me to do this?

Thanks,
Florin.

Hi Florin,

 

as the global rules are parsed after the interface-specific ones, AND it only permits inbound rules, you need to implement it into the interface-specific ACLs. I think your emergency change is over and you have implemented it that way.

 

BR

Axel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: