ASA implicit rule
When using the packet tracer utility in a Cisco ASA, sometimes a reason for a dropped packet is an "Implicit Rule". For example:
asa-5550-edge# packet-tracer input dmz810 tcp 172.29.12.34 587 10.100.20.50 587 detail Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 10.100.20.0 255.255.255.0 dmz Phase: 2 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2bf97148, priority=11, domain=permit, deny=true hits=79960, user_data=0x5, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=dmz810, output_ifc=any Result: input-interface: dmz810 input-status: up input-line-status: up output-interface: dmz output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
The Implicit Rule in the ASA packet tracer means that either the implicit deny statement in an Access-List (ACL) is being met, or the rule that states that traffic can only flow from a higher security level interface to a lower security level interface is met. For more information about security levels, take a look at ASA security levels.
Links
https://forum.networklessons.com/t/cisco-asa-hairpin-internal-server/819/37?u=lagapides