Filter
Top Products
16-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 16 Managing Firewall Access Rules
Understanding Access Rules
• Configuring Settings for Access Control, page 16-20
• Expanding Object Groups During Discovery, page 12-35
• Importing Rules, page 16-37
• Adding and Removing Rules, page 12-9
• Editing Rules, page 12-9
• Enabling and Disabling Rules, page 12-20
• Moving Rules and the Importance of Rule Order, page 12-19
Understanding Global Access Rules
Traditionally, access rules (ACLs), which control which traffic can flow through a device, are applied to
device interfaces. However, with ASA devices running software release 8.3+, you have the option to
create global access rules for IPv4 and IPv6.
Global access rules are defined as a special ACL that is processed for every interface on the device for
traffic entering the interface. Thus, although the ACL is configured once on the device, it acts like a
secondary interface-specific ACL defined for the In direction. (Global rules are always for the In
direction, never the Out direction.)
When traffic enters an interface on an ASA 8.3+ device, when applying ACLs, the device first applies
any interface-specific access rules to the traffic. It then applies global rules. (Overall processing is
explained in Understanding the Processing Order of Firewall Rules, page 12-2.)
Global rules are best used for rules that you want to apply to all traffic that enters a device regardless of
which interface it enters. For example, there might be a specific host or subnet that you always want to
deny or permit. You can create these as global rules, so they are configured once on the device instead
of configured again for each interface (although functionally the same as an interface-specific rule
configured for the All-Interfaces role, All-Interfaces rules are repeated for each interface rather than
being configured once on the device).
Tip If you want to configure the same set of global rules for more than one device, create a shared policy and
inherit it in the IPv4 or IPv6 access rules policy for each device. Ensure that all global rules are in the
Default section of the shared policy. If you put any global rules in the Mandatory section, you will not
be able to inherit it on devices that have local interface-specific access rules defined. For more
information on shared and inherited policies, see Local Policies vs. Shared Policies, page 5-3 and
Understanding Rule Inheritance, page 5-4.
When you configure access rules for an ASA 8.3+ device in Security Manager, interface-specific and
global rules are configured in the same policy. However, because the device always processes
interface-specific rules first, Security Manager prevents you from intermixing these different types of
rules. Therefore, if you configure both interface-specific and global rules on a device, keep the following
in mind:
• Global rules always come last in the access rules policy. All interface-specific rules come before
global rules.
• You cannot move rules in a way that violates the required order. For example, you cannot move an
interface-specific rule below a global rule, or a global rule above an interface-specific rule.
• You cannot create rules in a location that violates the required order. For example, if you select an
interface-specific rule, and another interface-specific rule follows it in the table, you cannot create
a global rule. If you try to create the wrong kind of rule, when you save the rule, Security Manager