is the security rule in asa 5520 follow the same style with the acl in cisco 3000 and 4000 series switch where always acl is having implicit deny(so after any deny of any type we have to put permit ip any any)
Yes there is an implicit deny ip any any at the end of an acl on the ASA.
The major difference between ASA/Pix acls and router acls is that the pix and asa use normal subnet masks whereas a router uses inverse masks so the router acl
access-list 101 permit ip 192.168.5.0 0.0.0.255 172.16.5.0 0.0.0.255
would translate to
access-list outside_in permit ip 192,168.5.0 255.255.255.0 172.16.5.0 255.255.255.0
many many thanks for your reply. we are connecting client from inside zone (high security) to out side zone server(low security)by 3rd party (different vendor)ipsec in transport mode by routed mode ASA 5520. how can the client be connected to server by the same ipsec in transport mode by NAT in ASA 5520 if everything is allowed in the security rule? please keep in mind that the ipsec transport is between client and server.