Configure an ASA Global Access Policy
Global access policies are network policies applied to all interfaces on an ASA. These policies are only applied to inbound network traffic. Create a global access policy if you want to apply a set of rules uniformly to all your ASA interfaces.
There can only be one global access policy configured on an ASA. Like any other policy, a global access policy can have more than one rule assigned to it.
ASA Global access policies are processed after network policies for specific interfaces and before the implicit deny rule for all traffic. This is the order of rule-processing on the ASA:
-
Interface access rules.
-
For bridge group member interfaces, the Bridge Virtual Interface (BVI) access rule.
-
Global access rule.
-
Implicit deny.
Limitations on Configuring an ASA Global Access Policy
CDO allows you to create and edit a global access policy for your ASA. However, if your ASA had a global access policy when you on-boarded it to CDO, you will have these limitations:
-
You will be able to edit the policy but you will not be able to create a new one as there is only one global access policy allowed per device.
-
If the global access policy on the ASA contains rules that CDO doesn't support, you will not be able to edit the policy.
-
You will only be able to delete the policy using CLI interface or by editing the Device Configuration file.