General information about rules, Implicit permits – Cisco ASA 5505 User Manual
Page 672
34-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 34 Configuring Access Rules
Information About Access Rules
•
Information About EtherType Rules, page 34-5
General Information About Rules
This section describes information for both access rules and EtherType rules, and it includes the
following topics:
•
•
Information About Interface Access Rules and Global Access Rules, page 34-2
•
Using Access Rules and EtherType Rules on the Same Interface, page 34-2
•
•
Inbound and Outbound Rules, page 34-3
Implicit Permits
For routed mode, the following types of traffic are allowed through by default:
•
IPv4 traffic from a higher security interface to a lower security interface.
•
IPv6 traffic from a higher security interface to a lower security interface.
For transparent mode, the following types of traffic are allowed through by default:
•
IPv4 traffic from a higher security interface to a lower security interface.
•
IPv6 traffic from a higher security interface to a lower security interface.
•
ARPs in both directions.
Note
ARP traffic can be controlled by ARP inspection, but cannot be controlled by an access rule.
•
BPDUs in both directions.
For other traffic, you need to use either an extended access rule (IPv4), an IPv6 access rule (IPv6), or an
EtherType rule (non-IPv4/IPv6).
Information About Interface Access Rules and Global Access Rules
You can apply an access rule to a specific interface, or you can apply an access rule globally to all
interfaces. You can configure global access rules in conjunction with interface access rules, in which
case, the specific interface access rules are always processed before the general global access rules.
Note
Global access rules apply only to inbound traffic. See the
“Inbound and Outbound Rules” section on
Using Access Rules and EtherType Rules on the Same Interface
You can apply one access rule and one EtherType rule to each direction of an interface.