Access control implicit deny, Where to go next – Cisco ASA 5505 User Manual

Page 385

Advertising
background image

14-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 14 Information About Access Lists

Access Control Implicit Deny

The order of ACEs is important. When the ASA decides whether to forward or to drop a packet, the ASA
tests the packet against each ACE in the order in which the entries are listed. After a match is found, no
more ACEs are checked. For example, if you create an ACE at the beginning of an access list that
explicitly permits all traffic, no further statements are checked, and the packet is forwarded.

Access Control Implicit Deny

All access lists have an implicit deny statement at the end, so unless you explicitly permit traffic to pass,
it will be denied. For example, if you want to allow all users to access a network through the ASA except
for one or more particular addresses, then you need to deny those particular addresses and then permit
all others.

For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.

IP Addresses Used for Access Lists When You Use NAT

For the following features, you should always use the real IP address in the access list when you use
NAT, even if the address as seen on an interface is the mapped address:

access-group command

Modular Policy Framework match access-list command

Botnet Traffic Filter dynamic-filter enable classify-list command

AAA aaa ... match commands

WCCP wccp redirect-list group-list command

The following features use access lists, but these access lists use the mapped values as seen on an
interface:

IPsec access lists

capture command access lists

Per-user access lists

Routing protocols

All other features...

Where to Go Next

For information about implementing access lists, see the following chapters in this guide:

Chapter 15, “Adding an Extended Access List”

Chapter 16, “Adding an EtherType Access List”

Advertising