With Cisco ASA, because all traffic from a higher security level to the lower security level is allowed by default, ACL enables us to either allow traffic from the lower security level interfaces OR restrict traffic from the higher security level interface
Before configuring interface access control in your ASA you need to answer the following question : which hosts are allowed to communicate with each other, using which specific applications through the ASA
Things to know:
- if a packet arrives at an ASA's interface, it either must match expected definition from an existing session (existing session are kept in a state stable or session table) or will be compared against the inbound interface security policy applied to that interface.