About ASA Global Access Policies
Global access policies are network policies applied to all interfaces on an ASA. These policies are only applied to inbound network traffic. Create a global access policy if you want to apply a set of rules uniformly to all your ASA interfaces.
There can only be one global access policy configured on an ASA. Like any other policy, a global access policy can have more than one rule assigned to it.
ASA Global access policies are processed after network policies for specific interfaces and before the implicit deny rule for all traffic. This is the order of rule-processing on the ASA:
- Interface access rules.
- For bridge group member interfaces, the Bridge Virtual Interface (BVI) access rule.
- Global access rule.
- Implicit deny.
Limitations on Configuring an ASA Global Access Policy
CDO allows you to create and edit a global access policy for your ASA. However, if your ASA had a global access policy when you on-boarded it to CDO, you will have these limitations:
- You will be able to edit the policy but you will not be able to create a new one as there is only one global access policy allowed per device.
- If the global access policy on the ASA contains rules that CDO doesn't support, you will not be able to edit the policy.
- You will only be able to delete the policy using CLI interface or by editing the Device Configuration file.
Create a Global Access Policy
- Click Policies > ASA Policies.
- In the filter panel, filter the policy list to find the device to which you want to add the global policy.
- In the Interfaces column of the Network Policies table, make sure there are no policies labeled "global."
- Click Create Policy.
- Click the Device button and select the ASA to which you want to add the global policy. Click Select.
- Give the policy a name and check Create as a global policy. You see that the you cannot select an interface or a direction for the policy. Global policies are always assigned to all interfaces on the device and always evaluate inbound traffic.
- Click Save.
- Use, Edit an ASA Network Policy to add rules to the new policy.
Edit a Global Access Policy
Keeping in mind the configuration limitations described above, use Edit an ASA Network Policy to edit your global access policy.
Note: If you find that you cannot edit a global policy because the Edit Policy button is deactivated, it may be because the policy was created on the ASA and contains rules with objects that CDO does not support. Those rules will not be visible to you in the global access policy table. In this case, you will need to edit the configuration file using CDO's CLI tool, by editing the ASA's configuration file using CDO, or by editing the global policy directly on the ASA.
Copy a Global Access Policy to Another Device
Use, Copy an ASA Network Policy to copy a global access policy from one device to another or to copy a global access policy from one device to a single interface on another device.
Deleting a Global Access Policy
You cannot delete a global access policy using CDO's user interface. To delete a global access policy, you will need to delete the global access policy at the command line using CDO's CLI tool, by editing the ASA's configuration file using CDO, or by editing the global policy directly on the ASA.