MicroNugget: What is the Global ACL Feature on the ASA Firewall?

Показать описание

In this video, Keith Barker covers the new Global Access Control List feature on ASA firewalls. The only perfect way to keep your internal networks safe from unsafe intrusion is to never connect to any external networks. Since that's rarely possible, see how global ACLs keep large networks secure.

Hypothetically, suppose you've got 50 different interfaces and need to allow or permit some common traffic on all 50 of them. With a global ACL, you can make one rule that applies to all those interfaces.

To demonstrate, Keith inspects a DMZ, or demilitarized zone’s path to the internet. On that perimeter network server, we can assign rules for what outside traffic is permitted to bypass the ASA.

By default, initial traffic doesn’t flow from low security to higher security interfaces. That means if an inbound packet is destined for a higher security level interface, the ASA is never going to push that water uphill.

An ACL says, “Please permit traffic from anywhere on the internet, if its destination is our DMZ server, and its destination port is TCP 80 (web services).”

As you add more interfaces and have more users on each one of them, you’d need an access list for each one. Unless you master using a global ACL: then you don’t have to individually assign each interface.

Start learning with CBT Nuggets:

Рекомендации по теме

Комментарии

Yes, after he finishes CCNP Security Firewall he starts working on CCNP Security VPN. Ketih is currently working through series very quickly. I would expect to see both finished by the beginning of November.

cbtnuggets

Right now Keith is halfway through finishing a new series for CCNP Security. It should be finished within a few weeks. If you have an annual subscription you can check out the first 10 videos now.

cbtnuggets

Great demonstration. I like it bectause it works! :) Is he going to update all CCNP Security Exam Series? or only the Firewall ? Please let me know that soon. I am big fan of both Keith & CBT

somalistudent

Great as always Keith. Do you plan on updating the CCNP Security track with CBT Nuggets?

andrewbromfield

Are we limited to a single global rule that must be edited if different but additional, destination IPs/ports are needed?

e.g.
Sources = IANA addresses
Destination = [First task today] 203.0.113.45 tcp 80
Destination = [Second task next month] 198.51.100.76 tcp 1024

jasonworingen

one question about acl in ASAv, I have to open both way to make connection from internal to dmz interface, if i open one direction it's not work? not just like other statefull firewall. any advice for this problem?

bigbos

MicroNugget: What is the Global ACL Feature on the ASA Firewall?

MicroNugget: What is the Global ACL Feature on the ASA Firewall?

MicroNugget: What is Network Address Translation?

MicroNugget: What is a Dynamic Multi-Point Virtual Private Network?

MicroNugget: What is FabricPath?

MicroNugget: What is Netflow?

MicroNugget: What is Nexus-OS?

MicroNugget: What's the Difference Between URI, URL, and URN?

MicroNugget: What is a Solicited Nodes Multicast Group in IPv6?

MicroNugget: Spanning Tree Protocol Explained | CBT Nuggets

MicroNugget: How to Use the ASA Interface Setup for Different Security Levels

MicroNugget: What is the ASA Virtual Firewall?

MicroNugget: What is Wireless Sniffing?

MicroNugget: What is ASA Active/Standby Failover?

MicroNugget: What is Active/Active Failover on the ASA?

MicroNugget: How to Use NAT and Auto-NAT on ASA 8.3 and 8.4

MicroNugget: What is a Cut-Through Proxy on the ASA?

MicroNugget: How to Use ASA VPN Connection Profiles

MicroNugget: What is IPv6 PreFix Delegation?

MicroNugget: How to Use ASA Firewall Packet Capture

MicroNugget: How to Configure SPAN and RSPAN on a Cisco Switch

MicroNugget: How to Configure Extended ACLs on Cisco Routers

MicroNugget: What is a Stateless DHCP with IPv6?

MicroNugget: What are the Different Static Routes on the ASA?

MicroNugget: What is Active Directory Schema?