Implicit deny, Inbound and outbound rules, Inbound and outbound rules” section on – Cisco ASA 5505 User Manual

Page 673

Advertising
background image

34-3

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 34 Configuring Access Rules

Information About Access Rules

Implicit Deny

Access lists have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot
pass. For example, if you want to allow all users to access a network through the ASA except for
particular addresses, then you need to deny the particular addresses and then permit all others.

For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.

If you configure a global access rule, then the implicit deny comes after the global rule is processed. See
the following order of operations:

1.

Interface access rule.

2.

Global access rule.

3.

Implicit deny.

Inbound and Outbound Rules

The ASA supports two types of access rules:

Inbound—Inbound access rules apply to traffic as it enters an interface. Global access rules are
always inbound.

Outbound—Outbound access rules apply to traffic as it exits an interface.

Note

“Inbound” and “outbound” refer to the application of an access list on an interface, either to traffic
entering the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to
the movement of traffic from a lower security interface to a higher security interface, commonly known
as inbound, or from a higher to lower interface, commonly known as outbound.

An outbound access list is useful, for example, if you want to allow only certain hosts on the inside
networks to access a web server on the outside network. Rather than creating multiple inbound access
lists to restrict access, you can create a single outbound access list that allows only the specified hosts.
(See

Figure 34-1

.) The outbound access list prevents any other hosts from reaching the outside network.

Advertising