An ACL is used to filter incoming or outgoing traffic of an interface, whether it's on a Cisco router or ASA. Without the ACL, any type of traffic will be allowed to flow freely between network/interfaces and this can be a security concern.
Let's imagine you work in the IT department of your organization. Within the department, there is a small server room without any access controls (no locks on the door or keypad entry). This would mean anyone who's in the IT department, whether a visitor, a member of staff, or even an intern, would be able to simply walk into the server room without providing identification or even requiring prior authorization.
Simply installing physical access controls, such a keypad lock on the door, will deter people without the correct combination of the PIN. In other words, only those who are allowed entry will be allowed and those who are not will be denied.
ACL has the ability to filter traffic based on source or destination IP address and even by port numbers/services. This can be useful if you are trying to restrict a network of users or one user from accessing another network or service. In other words, ACLs operate at both Layer 3 and Layer 4 of the Open Systems Interconnection (OSI) model:
In the previous chapter, we had mentioned there are three main security zones (the Inside, Outside, and Demilitarized Zone or DMZ) with a security level assigned to each. Where the Inside had a security level of 100, the DMZ had 50, and the Outside 0. Traffic is allowed to flow from an interface of a higher security level to an interface of a lower security level. That being said, if an ACL is placed on an interface, it takes precedence over the default filtering of traffic between interfaces.
For example, we know by default, traffic originating from the Outside interface (security level 0) will not be allowed access to flow to the DMZ, which has a security level of 50:
If we place some public servers in the DMZ, users from the internet/Outside zone may require access, particularly to these servers. To solve this issue, an ACL can be placed on the Outside interface to allow incoming traffic from any source to only the servers within the DMZ. All other incoming traffic will be dropped or denied access by the ASA.
In the CCENT/CCNA routing and switching certification, it is taught that a router reads the routing table from top to bottom as the entries are placed, this is also applied to ACLs. Once a match if found, the router or firewall will stop processing and continue with the appropriate action. In a case where it's an ACL, the router or firewall will either permit or deny the traffic based on the rule of the ACL.