ASA implicit rule

When using the packet tracer utility in a Cisco ASA, sometimes a reason for a dropped packet is an "Implicit Rule". For example:

asa-5550-edge# packet-tracer input dmz810 tcp 587 587 detail Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in dmz Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2bf97148, priority=11, domain=permit, deny=true hits=79960, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=, mask=, port=0, tag=0 dst ip/id=, mask=, port=0, tag=0, dscp=0x0 input_ifc=dmz810, output_ifc=any Result: input-interface: dmz810 input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule

The Implicit Rule in the ASA packet tracer means that either the implicit deny statement in an ACL is being met, or the rule that states that traffic can only flow from a higher security level interface to a lower security level interface is met. For more information about security levels, take a look at ASA security levels.