Cisco ASA – Global Access Lists

KB ID 0001019

Problem

I’ve been working for a client that has a large firewall deployment, and they have twelve switches in their six DMZ’s. I wanted to take a backup of these switches (and all the other network devices).

While I was bemoaning the amount of ACL’s that I would need to allow TFTP in from, (note: that’s UDP port 69 if you are interested). My colleague said “Why not use a global ACL?”, On the rare occasions I’m in the ASDM I’ve seen the ‘global’ rule but never really paid it much attention. (Note: You need an OS of 8.3 or newer!)

Don’t panic! I’m not going to use the ASDM, (if you want to use it you can pretty much work out how to do it from the picture above).

What is a Global ACL?

This is an access list that will allow traffic inbound on all interfaces. There are a couple of caveats;

  • Interface specific ACL’s will take precedence over the global ACL (with the exception of the implicit deny at the end of the ACL).
  • With the above in mind, if there is a deny on an interface ACL, traffic will be blocked for that interface.
  • If you have manually added a deny ip any any to the end of an interface ACL (e.g. for logging purposes) then traffic allowed in the global ACL will fail for that interface.

So the firewall processes each interfaces ACL and just before the implicit deny, if then checks the global ACL, if the global ACL allows the traffic it is passed.

Solution

OK, I want to allow all my DMZ devices to be able to communicate with a the TFTP server on my management server in the LAN.

1. Log into the firewall and create and ACL as you would normally.

[box]

PetesASA> enable
Password: *********
PetesASA# configure terminal
PetesASA(config)# access-list ACL-Global extended permit udp any any eq 69

[/box]

2. Then instead of applying the ACL directionally to an interface, apply it globally.

[box]

PetesASA(config)# access-group ACL-Global global

[/box]

Thats it! Let’s test it by trying to backup a DMZ switch.

[box]

DMZ1-SW-1#copy running-config tftp
Address or name of remote host []? 192.168.10.10
Destination filename [DMZ-SW-1-confg]? DMZ-SW-1-Backup
!!
1130 bytes copied in 12.244 secs (92 bytes/sec)

[/box]

Related Articles, References, Credits, or External Links

NA