Cisco ASA Series Cli Configuration Manual page 557

Chapter 1 Information About Access Lists
Access Control Implicit Deny
All access lists have an implicit deny statement at the end, so unless you explicitly permit traffic to pass,
it will be denied. For example, if you want to allow all users to access a network through the ASA except
for one or more particular addresses, then you need to deny those particular addresses and then permit
all others.
For EtherType access lists, the implicit deny at the end of the access list does not affect IP traffic or
ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the access list does not
now block any IP traffic that you previously allowed with an extended access list (or implicitly allowed
from a high security interface to a low security interface). However, if you explicitly deny all traffic with
an EtherType ACE, then IP and ARP traffic is denied.
IP Addresses Used for Access Lists When You Use NAT
For the following features, you should always use the real IP address in the access list when you use
NAT, even if the address as seen on an interface is the mapped address:
•
•
•
•
•
The following features use access lists, but these access lists use the mapped values as seen on an
interface:
•
•
•
•
•
Where to Go Next
For information about implementing access lists, see the following chapters in this guide:
•
•
•
•
•
access-group command
Modular Policy Framework match access-list command
Botnet Traffic Filter dynamic-filter enable classify-list command
AAA aaa ... match commands
WCCP wccp redirect-list group-list command
IPsec access lists
capture command access lists
Per-user access lists
Routing protocols
All other features...
Chapter 1, "Adding an Extended Access Control List"
Chapter 1, "Adding an EtherType Access List"
Chapter 1, "Adding a Standard Access Control List"
Chapter 1, "Adding a Webtype Access Control List"
Chapter 1, "Configuring Access Rules"
Access Control Implicit Deny
Cisco ASA Series CLI Configuration Guide
1-3