34-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter34 Configuring Access Rules
Information About Access Rules
Information About EtherType Rules, page34-5
General Information About Rules
This section describes information for both access rules and EtherType rules, and it includes the
following topics:
Implicit Permits, page 34-2
Information About Interface Access Rules and Global Access Rules, page34-2
Using Access Rules and EtherType Rules on the Same Interface, page34-2
Implicit Deny, page34-3
Inbound and Outbound Rules, page34-3

Implicit Permits

For routed mode, the following types of traffic are allowed through by default:
IPv4 traffic from a higher security interface to a lower security interface.
IPv6 traffic from a higher security interface to a lower security interface.
For transparent mode, the following types of traffic are allowed through by default:
IPv4 traffic from a higher security interface to a lower security interface.
IPv6 traffic from a higher security interface to a lower security interface.
ARPs in both directions.
Note ARP traffic can be controlled by ARP inspection, but cannot be controlled by an access rule.
BPDUs in both directions.
For other traffic, you need to use either an extended access rule (IPv4), an IPv6 access rule (IPv6), or an
EtherType rule (non-IPv4/IPv6).

Information About Interface Access Rules and Global Access Rules

You can apply an access rule to a specific interface, or you can apply an access rule globally to all
interfaces. You can configure global access rules in conjunction with interface access rules, in which
case, the specific interface access rules are always processed before the general global access rules.
Note Global access rules apply only to inbound traffic. See the “Inbound and Outbound Rules” section on
page 34-3.

Using Access Rules and EtherType Rules on the Same Interface

You can apply one access rule and one EtherType rule to each direction of an interface.