The Cisco ASA 5506-X provides basic traffic filtering capabilities with ACLs. ACLs control access in a network by preventing defined traffic from entering or exiting. In addition, an ACL can be used to select traffic to which a feature will apply, thereby performing a matching service rather than a control service.
There are many similarities between ASA ACLs and IOS ACLs. For example, both are made up of ACEs, processed sequentially from the top down, and there is an implicit deny any at the bottom. Additionally, the rule of only one ACL per interface, per protocol, per direction, still applies.
ACLs on a security appliance can be used not only to filter packets that are passing through the appliance but also to filter packets destined for the appliance.
Through-traffic filtering - Traffic that is passing through the security appliance from one interface to another interface. The configuration is completed in two steps. The first step is to set up an ACL. The second step is to apply that ACL to an interface.
To-the-box-traffic filtering - Also known as a management access rule, to-the-box-traffic filtering applies to traffic that terminates at the ASA. They are created to filter traffic that is destined for the control plane of the ASA. They are completed in one step but require an additional set of rules to implement access control.