Cisco Systems ASA 5585-X Manual De Usuario
6-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 6 Configuring Access Rules
Information About Access Rules
Implicit Deny
ACLs have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass.
For example, if you want to allow all users to access a network through the ASA except for particular
addresses, then you need to deny the particular addresses and then permit all others.
For example, if you want to allow all users to access a network through the ASA except for particular
addresses, then you need to deny the particular addresses and then permit all others.
For EtherType ACLs, the implicit deny at the end of the ACL does not affect IP traffic or ARPs; for
example, if you allow EtherType 8037, the implicit deny at the end of the ACL does not now block any
IP traffic that you previously allowed with an extended ACL (or implicitly allowed from a high security
interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE,
then IP and ARP traffic is denied.
example, if you allow EtherType 8037, the implicit deny at the end of the ACL does not now block any
IP traffic that you previously allowed with an extended ACL (or implicitly allowed from a high security
interface to a low security interface). However, if you explicitly deny all traffic with an EtherType ACE,
then IP and ARP traffic is denied.
If you configure a global access rule, then the implicit deny comes after the global rule is processed. See
the following order of operations:
the following order of operations:
1.
Interface access rule.
2.
Global access rule.
3.
Implicit deny.
Inbound and Outbound Rules
The ASA supports two types of ACLs:
•
Inbound—Inbound access rules apply to traffic as it enters an interface. Global access rules are
always inbound.
always inbound.
•
Outbound—Outbound ACLs apply to traffic as it exits an interface.
Note
“Inbound” and “outbound” refer to the application of an ACL on an interface, either to traffic entering
the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to the
movement of traffic from a lower security interface to a higher security interface, commonly known as
inbound, or from a higher to lower interface, commonly known as outbound.
the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to the
movement of traffic from a lower security interface to a higher security interface, commonly known as
inbound, or from a higher to lower interface, commonly known as outbound.
An outbound ACL is useful, for example, if you want to allow only certain hosts on the inside networks
to access a web server on the outside network. Rather than creating multiple inbound ACLs to restrict
access, you can create a single outbound ACL that allows only the specified hosts. (See
to access a web server on the outside network. Rather than creating multiple inbound ACLs to restrict
access, you can create a single outbound ACL that allows only the specified hosts. (See
outbound ACL prevents any other hosts from reaching the outside network.