CHAPT ER
14-1
Cisco ASA 5500 Series Configuration Guide using the CLI
14
Information About Access Lists
Cisco ASAs provide basic traffic filtering capabilities with access lists, which control access in your
network by preventing certain traffic from entering or exiting. This chapter describes access lists and
shows how to add them to your network configuration.
Access lists are made up of one or more access control entries (ACEs). An ACE is a single entry in an
access list that specifies a permit or deny rule (to forward or drop the packet) and is applied to a protocol,
to a source and destination IP address or network, and, optionally, to the source and destination ports.
Access lists can be configured for all routed and network protocols (IP, AppleTalk, and so on) to filter
the packets of those protocols as the packets pass through a router.
Access lists are used in a variety of features. If your feature uses Modular Policy Framework, you can
use an access list to identify traffic within a traffic class map. For more information on Modular Policy
Framework, see Chapter32, “Configuring a Service Policy Using the Modular Policy Framework.”
This chapter includes the following sections:
Access List Types, page14-1
Access Control Entry Order, page14-2
Access Control Implicit Deny, page14-3
IP Addresses Used for Access Lists When You Use NAT, page14-3
Where to Go Next, page14-3

Access List Types

The ASA uses five types of access control lists:
Standard access lists—Identify the destination IP addresses of OSPF routes and can be used in a
route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control
traffic. For more information, see Chapter17, “Adding a Standard Access List.”
Extended access lists—Use one or more access control entries (ACE) in which you can specify the
line number to insert the ACE, the source and destination addresses, and, depending upon the ACE
type, the protocol, the ports (for TCP or UDP), or the IPCMP type (for ICMP). For more
information, see Chapter15, “Adding an Extended Access List.”
EtherType access lists—Use one or more ACEs that specify an EtherType. For more information,
see Chapter 16, “Adding an EtherType Access List.”
Webtype access lists—Used in a configuration that supports filtering for clientless SSL VPN. For
more information, see Chapter 18, “Adding a Webtype Access List.”