In Cisco ASA Software Version 8.3 and later, Cisco adds a feature aimed to make access policy configuration easier. This feature is called Global ACL. The global ACL applies access control to inbound traffic on all interfaces and is defined in the same manner as interface ACLs, just obviously completed in global configuration mode.
Cisco lists the following benefits for this new feature:
- When migrating to the Cisco ASA from a competitor appliance, you can maintain a global access rule policy instead of needing to apply an interface-specific policy on each interface.
- Global access control policies are not replicated on each interface, so they save memory space.
- Global access rules provides flexibility in defining a security policy; as long as a packet matches the source and destination IP addresses, the incoming interface is irrelevant
- Global access rules use the same architectural constructs as interface-specific access rules, so scalability and performance for global rules is the same as for interface-specific rules.
The Cisco ASA security appliance uses the following order to match access rules when only interface ACLs are configured:
- Interface access list rules
- Implicit deny ip any any interface access list rule
Note: The above is obvious and simple to remember as it reflects the Cisco ASA behavior before the introduction of global ACLs.
The Cisco ASA security appliance uses the following order to match access rules when both interface ACLs and the global ACL are configured:
- Interface access list rules
- Global access list rules
- Implicit deny ip any any global access list rules
Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv




