Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5202
Views
1
Helpful
1
Replies

Implicit deny

tech_gubby
Level 1
Level 1

‎10-18-2019 04:26 AM

Could you any one please answer me the below,

 

  1. What is implicit deny?
  2. Why should I have to use it in ASA?
  3. How ever, if there is no ACL configured to allow trafffic from  Lower to higher security zone in ASA. Then why should I have to configure Implicit deny in asa?
  4. What happen, if removed the implicit deny in ASA?

Thank you !!

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎10-18-2019 05:18 AM

Hi,
Only traffic explicitly permitted should be allowed to pass through the firewall, there is always an implicit deny at the end of an ASA access list for the traffic that hasn't been permitted.

You need an ACL to pass traffic from a lower (outside) security level to a higher (inside) security level, it is denied by default. You would create the ACL and then permit only the traffic you want - the implicit deny rule would always be the last rule processed, you don't need to define it, otherwise that would be an explicit deny.

You can't technically remove an implicit deny, all you can do is define a permit ip any any rule which would permit all traffic, that's not what you want to do, especially if it's a perimeter firewall protecting the local network from the internet.

HTH
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card