Rule Order; Implicit Permits - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 4
Access Rules
Figure 4-1
10.1.1.14
See the following commands for this example:
hostname(config)# access-list OUTSIDE extended permit tcp host 10.1.1.14
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 10.1.2.67
host 209.165.200.225 eq www
hostname(config)# access-list OUTSIDE extended permit tcp host 10.1.3.34
host 209.165.200.225 eq www
hostname(config)# access-group OUTSIDE out interface outside
Rule Order
The order of rules is important. When the ASA decides whether to forward or drop a packet, the ASA
tests the packet against each rule in the order in which the rules are listed in the applied ACL. After a
match is found, no more rules are checked. For example, if you create an access rule at the beginning
that explicitly permits all traffic for an interface, no further rules are ever checked.
Implicit Permits
For routed mode, the following types of traffic are allowed through by default:
•
Outbound ACL
ASA
Inside
ACL Inbound
Permit from
any
to
any
209.165.201.4
Static NAT
Unicast IPv4 and IPv6 traffic from a higher security interface to a lower security interface.
Web Server:
209.165.200.225
Outside
ACL Outbound
Permit HTTP from 10.1.1.14, 10.1.2.67,
and
10.1.3.34
to
209.165.200.225
Deny all others
HR
ACL Inbound
Permit from
any
to
10.1.2.67
209.165.201.6
Static NAT
Cisco ASA Series Firewall CLI Configuration Guide
Controlling Network Access
Eng
ACL Inbound
any
Permit from
any
10.1.3.34
Static NAT
to
any
209.165.201.8
4-3
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
