cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1892
Views
3
Helpful
4
Replies

Order of Interface and Global ACL

mahesh18
Level 6
Level 6

Hi Everyone,

Need to confirm if order of ACL  marked as red in number 3 is true??

The Cisco ASA security appliance uses the following order to match access rules when only interface ACLs are configured:

  1. Interface access list rules
  2. Implicit deny ip any any interface access list rule

The Cisco ASA security appliance uses the following order to match access rules when both interface ACLs and the global ACL are configured:

  1. Interface access list rules
  2. Global access list rules
  3. Implicit deny ip any any global access list rules???????????????????????

Regards

Mahesh

2 Accepted Solutions

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mahesh,

In this case we have 2 access-group

One specific (applied to an interface)

One global (applied to all of the interfaces of the ASA)

Which goes first:

The most specific (the one applied to the interface)

If there is no ACL applied to an interface then the less specific takes place (global) and that's it basically,

The implicit deny will be set on both of them.

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello Mahesh,

Here is the thing:

  1. If we have an ACL applied to "X" interface and there is no permit statement  for that trafficthen that traffic will be denied (Implicit deny at the end) the Global will never be checked.
  2. If we dont have any ACL applied to "X" interface and we have a global ACL, then we will check that, if there is a permit statement that matches the traffic we are good, otherwise Implicit deny drop again.

Let me know if you got it,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

4 Replies 4

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mahesh,

In this case we have 2 access-group

One specific (applied to an interface)

One global (applied to all of the interfaces of the ASA)

Which goes first:

The most specific (the one applied to the interface)

If there is no ACL applied to an interface then the less specific takes place (global) and that's it basically,

The implicit deny will be set on both of them.

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

So does this mean that if Global ACL is applied to ASA   then the order will be

1>interface ACL

2>Global ACL

now if we have no match there we know by default it is implicit deny ip any any.

So this implicit will be global or interface ACL?

Regards

MAhesh

Hello Mahesh,

Here is the thing:

  1. If we have an ACL applied to "X" interface and there is no permit statement  for that trafficthen that traffic will be denied (Implicit deny at the end) the Global will never be checked.
  2. If we dont have any ACL applied to "X" interface and we have a global ACL, then we will check that, if there is a permit statement that matches the traffic we are good, otherwise Implicit deny drop again.

Let me know if you got it,

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Got it now.

Best regards

Mahesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: