1-3
Cisco ASA Series CLI Configuration Guide
Chapter 1 Information About Access Lists
Access Control Implicit Deny
Access Control Implicit Deny
All access lists have an implicit deny statement at the end, so unless you explicitly permit traffic to pass,
it will be denied. For example, if you want to allow all users to access a network through the ASA except
for one or more particular addresses, then you need to deny those particular addresses and then permit
all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
IP Addresses Used for Access Lists When You Use NAT
For the following features, you should always use the real IP address in the access list when you use
NAT, even if the address as seen on an interface is the mapped address:
• access-group command
• Modular Policy Framework match access-list command
• Botnet Traffic Filter dynamic-filter enable classify-list command
• AAA aaa ... match commands
• WCCP wccp redirect-list group-list command
The following features use access lists, but these access lists use the mapped values as seen on an
interface:
• IPsec access lists
• capture command access lists
• Per-user access lists
• Routing protocols
• All other features...
Where to Go Next
For information about implementing access lists, see the following chapters in this guide:
• Chapter 1, “Adding an Extended Access Control List”
• Chapter 1, “Adding an EtherType Access List”
• Chapter 1, “Adding a Standard Access Control List”
• Chapter 1, “Adding a Webtype Access Control List”
• Chapter 1, “Configuring Access Rules”
To Next Page
Loading...
Need help?
General
