Cisco ASA - How-to Filtering Traffic Destined to the Device Itself

The control-plane option is used to apply an access-list to traffic destined to the device itself.  Normally, access-Lists applied to interfaces control traffic flowing through the ASA.  When the “control-plane” tag is added, the access-list is used to control traffic that terminates on the ASA.  This can be beneficial if you want to limit the traffic that is permitted to terminate on the ASA (i.e. VPN related traffic). 

access-group device_access_in in inside control-plane [more]

One important thing to note is that access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than an access list applied with the “control-plane” option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by access list with the “control-plane” option.

Networking Cisco ASA