ASA implicit rule
When using the packet tracer utility in a Cisco ASA, sometimes a reason for a dropped packet is an "Implicit Rule". For example:
asa-5550-edge# packet-tracer input dmz810 tcp 172.29.12.34 587 10.100.20.50 587 detail Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.100.20.0 255.255.255.0 dmz Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2bf97148, priority=11, domain=permit, deny=true hits=79960, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=dmz810, output_ifc=any Result: input-interface: dmz810 input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
The Implicit Rule in the ASA packet tracer means that either the implicit deny statement in an ACL is being met, or the rule that states that traffic can only flow from a higher security level interface to a lower security level interface is met. For more information about security levels, take a look at ASA security levels.
Links:
https://forum.networklessons.com/t/cisco-asa-hairpin-internal-server/819/37?u=lagapides