I only ask the basic below question because ASAs differ from other Cisco devices, and also the below config already exists in this active production ASA 5525...

"access-list inside_in extended permit ip any any
access-list inside_in extended permit tcp host 172.16.1.5 any eq 2222
access-list inside_in extended permit tcp host 172.16.1.5 any eq ssh
access-list inside_in extended permit tcp host 172.16.1.6 any eq ssh
access-list inside_in extended deny tcp any any eq ssh
access-list inside_in extended permit ip host 172.16.1.5 any"

Doesn't the line "access-list inside_in extended permit ip any any" make irrelevant the five lines below it?

Thank you.

Yes, all traffic from inside would match the first rule and never match the more specific rules below.

Hi Rob.

May you also please answer these two questions?

1. "access-list inside_in extended deny tcp any any eq domain"-- Does this mean any elements that use tcp with a domain instead of an IP address will be blocked by the ACL?

2. "access-list inside_in extended deny tcp any any range 137 netbios-ssn"-- What does "range 137 netbios-ssn" mean?

Thank you.

@jmaxwellUSAF no, "domain" is the name for DNS over TCP on port 53. So that rule is denying an traffic on tcp/53.

"netbios-ssn" is udp/139 - so essentially thats a range of 137-139

to check acl do
show access-list <<- then check the hitcnt, 
hitcnt will give fast review if the ACL permit/deny any traffic.