I am a Cisco ASA newbie. I am having trouble grasping ACL concepts. We will want all outbound traffic from LAN to WAN blocked; except as we see fit to allow. I understand by default all traffic is allowed to the less secure interface. Do I understand this correctly that as soon as I apply an ACL to internal interface all other traffic will be blocked because of an implied deny statement that will then be in force by default? That the "other" traffic we want to block will never reach the implicit permit rule as long as that rule is not applied first?
"Once I am done creating the ACL I want to allow out, I create the deny rule?"
You can if you want but if you don't there is an implicit deny anyway. I suspect the "implicit permit" you are seeing is because by default all traffic is allowed from a higher to lower security interface. Once you apply an acl to that higher interface then the implicit permit should not be relevant.
As for the acl
access-list inside_out permit tcp any any eq 80
access-list inside_out permit tcp any any eq 443
access-list inside_out_1 permit tcp any any eq 80
access-list inside_out_1 permit tcp any any eq 443
access-list inside_out_1 deny ip any any
both of the above acls do the same thing ie.
they allow http and https traffic from inside to outside and then deny everything else. The only difference is that the first acl "inside_out" relies on an implicit deny at the end of the acl ie. you don't specifically enter it and with the second acl "inside_out_1" you explicitly add the "deny ip any any" line.
When you do a "sh access-list" inside_out_1 will also show you how many hits have been dropped on the "deny ip any any" line whereas you wouldn't see this with the first acl "inside_out".