14-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter14 Information About Access Lists
Access Control Implicit Deny
The order of ACEs is important. When the ASA decides whether to forward or to drop a packet, the ASA
tests the packet against each ACE in the order in which the entries are listed. After a match is found, no
more ACEs are checked. For example, if you create an ACE at the beginning of an access list that
explicitly permits all traffic, no further statements are checked, and the packet is forwarded.
Access Control Implicit Deny
All access lists have an implicit deny statement at the end, so unless you explicitly permit traffic to pass,
it will be denied. For example, if you want to allow all users to access a network through the ASA except
for one or more particular addresses, then you need to deny those particular addresses and then permit
all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
IP Addresses Used for Access Lists When You Use NAT
For the following features, you should always use the real IP address in the access list when you use
NAT, even if the address as seen on an interface is the mapped address:
access-group command
Modular Policy Framework match access-list command
Botnet Traffic Filter dynamic-filter enable classify-list command
AAA aaa ... match commands
WCCP wccp redirect-list group-list command
The following features use access lists, but these access lists use the mapped values as seen on an
interface:
IPsec access lists
capture command access lists
Per-user access lists
Routing protocols
All other features...
Where to Go Next
For information about implementing access lists, see the following chapters in this guide:
Chapter 15, “Adding an Extended Access List”
Chapter 16, “Adding an EtherType Access List”