Cisco ASA 5505 Configuration Manual page 635
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Access Rules
Implicit Deny
Interface-specific access rules do not have an implicit deny at the end, but global rules on inbound traffic
do have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For
example, if you want to allow all users to access a network through the adaptive security appliance
except for particular addresses, then you need to deny the particular addresses and then permit all others.
For EtherType rules, the implicit deny does not affect IPv4 or IPv6 traffic or ARPs; for example, if you
allow EtherType 8037 (the EtherType for IPX), the implicit deny at the end of the list does not block any
IP traffic that you previously allowed with an access rule (or implicitly allowed from a high security
interface to a low security interface). However, if you explicitly deny all traffic with an EtherType rule,
then IP and ARP traffic is denied.
Inbound and Outbound Rules
The adaptive security appliance supports two types of access lists:
•
•
"Inbound" and "outbound" refer to the application of an access list on an interface, either to traffic
Note
entering the adaptive security appliance on an interface or traffic exiting the adaptive security appliance
on an interface. These terms do not refer to the movement of traffic from a lower security interface to a
higher security interface, commonly known as inbound, or from a higher to lower interface, commonly
known as outbound.
An inbound access list can bind an access list to a specific interface or apply a global rule on all
interfaces. For more information about global rules, see the
page
An outbound access list is useful, for example, if you want to allow only certain hosts on the inside
networks to access a web server on the outside network. Rather than creating multiple inbound access
lists to restrict access, you can create a single outbound access list that allows only the specified hosts.
(See
OL-20339-01
Inbound—Inbound access lists apply to traffic as it enters an interface.
Outbound—Outbound access lists apply to traffic as it exits an interface.
30-4.
Figure
30-1.) The outbound access list prevents any other hosts from reaching the outside network.
"Using Global Access Rules" section on
Cisco ASA 5500 Series Configuration Guide using ASDM
Information About Access Rules
30-3
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
