cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1088
Views
0
Helpful
3
Replies

Would global ACL affect traffic on failover interfaces?

HyeonCheol Cho
Level 1
Level 1

Does anyone know what would happen to the failover interfaces(failover interface and failover stateful interface) if an global acl get applied to the firewall?

Would the global ACL also attach to the failover interfaces?

When the ASA runs in single context mode, the failover interfaces are in the same space as the other data interfaces. would the global ACL attach to the failover interfaces?

When the ASA runs in multi-context mode, as the failover interfaces are in the system context, I suspect that global ACL would not affect the failover interfaces.

Any comments would be appreciated.

Thank you

Kind Regards

3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

To my understanding like normal interface ACLs the global ACLs only control traffic "through the box" and not "to the box".

To my understanding all traffic related to the failover operation is between the actual units and not throught them at any point so an interface ACL or Global ACL shouldnt affect the normal Failover operation.

We dont use the Global ACL that much but we do use it in some ASAs that run Failover and we have no rules built specifically allow traffic related to the Failover link and its subnet.

The latest Cisco ASA Command Reference says this about Global ACLs though it doesnt really mention Failover but mentions that it doesnt support "control-plane" parameter like the interface ACLs do. In interface specific ACLs that parameter is used to control traffic "to the box"

Usage Guidelines for Global Rules

The access-group global command applies a single set of global rules on all traffic, no matter which interface the traffic arrives at the ASA.

Global rules for the access-group global command support extended ACLs only.

All global rules apply only to traffic in the ingress (input) direction. Global rules do not support egress (output) traffic.

Global rules for access-group global do not support the control-plane nor the per-user-override options that are supported in interface-specific access rules.

If global rules are configured in conjunction with interface access  rules, then the interface access rule, which is specific, is processed  before the global access rule, which is general.

I can't ofcourse say anything with 100% certainty but this is how I understand it and how it seems to operate.

EDIT: Corrected something I thought was a typo only to see that I "corrected" something that was already correct

- Jouni

Hello Joun,

Thank you for your sharing.

I am thinking of applying global ACL to all of firewalls and the global ACL would have ACEs as below. With these explicit denies, there will be more detailed information in the log messages on the denied packets.

access-list acl-global extended deny tcp any any log

access-list acl-global extended deny udp any any log

access-list acl-global extended deny ip any any log

Before I apply this global acl to my firewalls, I wanted to increase my confidence that this global acl wouldn't affect failover traffic.

Does your global ACL also deny all IP traffic?  what is the ASA code version you are using?

I read the documents but, I wanted to increase my confidence throught the examples of real implementation as the documentation is not very clear on this.

Thank you

Kind Regards

Hi,

Our ACL makes no mention of the Failover link IP addresses therefore if the Global ACL controlled traffic "to the box" / "from the box" it would all be dropped by the Implicit Deny.

To my understanding the only ACL that can block traffic related to traffic that is coming to the ASA interface (not through it) or leaving from (not through it) that interface would be the interface ACL attached with the command

access-group in interface control-plane

And this "control-plane" option is not usable with Global ACLs

Further more you are not even able to attach a normal ACL to the "failover" interface so I somehow doubt the Global ACL could even apply to the Failover interface if you cant even attach a normal ACL to it. The documentation above mentions that Global ACL applies to every interface though but then again Cisco documentation doesnt always really go to specific in the Command Reference or other document.

I don't think I can give any better answer than this myself without finding an actual Cisco document that states it.

Hope this helps

- Jouni

Review Cisco Networking for a $25 gift card