37-3
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter37 Configuring Access Rules
Information About Access Rules
Rule Order
The order of rules is important. When the ASA decides whether to forward or drop a packet, the ASA
tests the packet against each rule in the order in which the rules are listed. After a match is found, no
more rules are checked. For example, if you create an access rule at the beginning that explicitly permits
all traffic for an interface, no further rules are ever checked.
You can disable a rule by making it inactive.
Implicit Deny
Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot
pass. For example, if you want to allow all users to access a network through the ASA except for
particular addresses, then you need to deny the particular addresses and then permit all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
If you configure a global access rule, then the implicit deny comes after the global rule is processed. See
the following order of operations:
1. Interface access rule.
2. Global access rule.
3. Implicit deny.
Using Remarks
In the ASDM access rule window, a remark that displays next to the rule is the one that was configured
before the rule, so when you configure a remark from the CLI and then view it in an AS DM access rule
window, the remark displays next to the rule that was configured after the remark in the CLI. However,
the packet tracer in ASDM matches the remark that is configured after the matching rule in the CLI.
Inbound and Outbound Rules
The ASA supports two types of access rules:
Inbound—Inbound access rules apply to traffic as it enters an interface. Global access rules are
always inbound.
Outbound—Outbound access rules apply to traffic as it exits an interface.
Note “Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic
entering the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to
the movement of traffic from a lower security interface to a higher security interface, commonly known
as inbound, or from a higher to lower interface, commonly known as outbound.
An outbound access list is useful, for example, if you want to allow only certain hosts on the inside
networks to access a web server on the outside network. Rather than creating multiple inbound access
lists to restrict access, you can create a single outbound access list that allows only the specified hosts.
(See Figure37-1.) The outbound access list prevents any other hosts from reaching the outside network.