34-3
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter34 Configuring Access Rules
Information About Access Rules
Implicit Deny
Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot
pass. For example, if you want to allow all users to access a network through the ASA except for
particular addresses, then you need to deny the particular addresses and then permit all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
If you configure a global access rule, then the implicit deny comes after the global rule is processed. See
the following order of operations:
1. Interface access rule.
2. Global access rule.
3. Implicit deny.
Inbound and Outbound Rules
The ASA supports two types of access rules:
Inbound—Inbound access rules apply to traffic as it enters an interface. Global access rules are
always inbound.
Outbound—Outbound access rules apply to traffic as it exits an interface.
Note “Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic
entering the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to
the movement of traffic from a lower security interface to a higher security interface, commonly known
as inbound, or from a higher to lower interface, commonly known as outbound.
An outbound access list is useful, for example, if you want to allow only certain hosts on the inside
networks to access a web server on the outside network. Rather than creating multiple inbound access
lists to restrict access, you can create a single outbound access list that allows only the specified hosts.
(See Figure34-1.) The outbound access list prevents any other hosts from reaching the outside network.