7-3
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter7 Configuring Access Rules
Information About Access Rules
Rule Order
The order of rules is important. When the ASA decides whether to forward or drop a packet, the ASA
tests the packet against each rule in the order in which the rules are listed. After a match is found, no
more rules are checked. For example, if you create an access rule at the beginning that explicitly permits
all traffic for an interface, no further rules are ever checked. For more information, see the “Implicit
Deny” section on page7-3.
You can disable a rule by making it inactive.
Implicit Deny
ACLs have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass.
For example, if you want to allow all users to access a network through the ASA except for particular
addresses, then you need to deny the particular addresses and then permit all others.
For EtherType ACLs, the implicit deny at the end of the ACL does not affect IP traffic or ARPs; for
example, if you allow EtherType 8037, the implicit deny at the end of the ACL does not now block any
IP traffic that you previously allowed with an extended ACL (or implicitly allowed from a high security
interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE,
then IP and ARP traffic is denied.
If you configure a global access rule, then the implicit deny comes after the global rule is processed. See
the following order of operations:
1. Interface access rule.
2. Global access rule.
3. Implicit deny.
Using Remarks
In the ASDM access rule window, a remark that displays next to the rule is the one that was configured
before the rule, so when you configure a remark from the CLI and then view it in an AS DM access rule
window, the remark displays next to the rule that was configured after the remark in the CLI. However,
the packet tracer in ASDM matches the remark that is configured after the matching rule in the CLI.
NAT and Access Rules
Access rules always use the real IP addresses when determining an access rule match, even if you
configure NAT. For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly
routable IP address on the outside, 209.165.201.5, then the access rule to allow the outside traffic to
access the inside server needs to reference the server’s real IP address (10.1.1.5), and not the mapped
address (209.165.201.5).
Inbound and Outbound Rules
The ASA supports two types of ACLs:
Inbound—Inbound access rules apply to traffic as it enters an interface. Global access rules are
always inbound.
Outbound—Outbound ACLs apply to traffic as it exits an interface.