Information about access lists, Access list types, C h a p t e r – Cisco ASA 5505 User Manual
Page 383
 
C H A P T E R
14-1
Cisco ASA 5500 Series Configuration Guide using the CLI
14
Information About Access Lists
Cisco ASAs provide basic traffic filtering capabilities with access lists, which control access in your 
network by preventing certain traffic from entering or exiting. This chapter describes access lists and 
shows how to add them to your network configuration.
Access lists are made up of one or more access control entries (ACEs). An ACE is a single entry in an 
access list that specifies a permit or deny rule (to forward or drop the packet) and is applied to a protocol, 
to a source and destination IP address or network, and, optionally, to the source and destination ports.
Access lists can be configured for all routed and network protocols (IP, AppleTalk, and so on) to filter 
the packets of those protocols as the packets pass through a router. 
Access lists are used in a variety of features. If your feature uses Modular Policy Framework, you can 
use an access list to identify traffic within a traffic class map. For more information on Modular Policy 
Framework, see 
Chapter 32, “Configuring a Service Policy Using the Modular Policy Framework.”
This chapter includes the following sections:
•
•
Access Control Entry Order, page 14-2
•
Access Control Implicit Deny, page 14-3
•
IP Addresses Used for Access Lists When You Use NAT, page 14-3
•
Access List Types
The ASA uses five types of access control lists:
•
Standard access lists—Identify the destination IP addresses of OSPF routes and can be used in a 
route map for OSPF redistribution. Standard access lists cannot be applied to interfaces to control 
traffic. For more information, see 
Chapter 17, “Adding a Standard Access List.”
•
Extended access lists—Use one or more access control entries (ACE) in which you can specify the 
line number to insert the ACE, the source and destination addresses, and, depending upon the ACE 
type, the protocol, the ports (for TCP or UDP), or the IPCMP type (for ICMP). For more 
information, see 
Chapter 15, “Adding an Extended Access List.”
•
EtherType access lists—Use one or more ACEs that specify an EtherType. For more information, 
see 
Chapter 16, “Adding an EtherType Access List.”
•
Webtype access lists—Used in a configuration that supports filtering for clientless SSL VPN. For 
more information, see