Which option is a key difference between Cisco IOS interface ACL configurations and Cisco ASA
appliance interface ACL configurations?
A.
The Cisco IOS interface ACL has an implicit permit-all rule at the end of each interface ACL.
B.
Cisco IOS supports interface ACL and also global ACL. Global ACL is applied to all interfaces.
C.
The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks.
D.
The Cisco ASA appliance interface ACL also applies to traffic directed to the IP addresses of the
Cisco ASA appliance interfaces.
E.
The Cisco ASA appliance does not support standard ACL. The Cisco ASA appliance only support
extended ACL.
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_extended.html
Additional Guidelines and Limitations
The following guidelines and limitations apply to creating an extended access list:
•When you enter the access-list command for a given access list name, the ACE is added to the end
of the access list unless you specify the line number.
•Enter the access list name in uppercase letters so that the name is easy to see in the configuration.
You might want to name the access list for the interface (for example, INSIDE), or you can name it
for the purpose for which it is created (for example, NO_NAT or VPN).
•Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list
of protocol names, see the “Protocols and Applications” section.
•Enter the host keyword before the IP address to specify a single address. In this case, do not enter a
mask.
Enter the any keyword instead of the address and mask to specify any address.
•You can specify the source and destination ports only for the tcp or udp protocols. For a list of
permitted keywords and well-known port assignments, see the “TCP and UDP Ports” section. DNS,
Discard, Echo, Ident,
NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires
one definition for port 49 on TCP.
•You can specify the ICMP type only for the icmp protocol. Because ICMP is a connectionless
protocol, you either need access lists to allow ICMP in both directions (by applying access lists to the
source and destination interfaces), or you need to enable the ICMP inspection engine. (See the
“Adding an ICMP Type Object Group” section.) The ICMP inspection engine treats ICMP sessions as
stateful connections. To control ping, specify echo-reply (0) (ASA to host) or echo (8) (host to ASA).
See the “Adding an ICMP Type Object Group” section for a list of ICMP types.
•When you specify a network mask, the method is different from the Cisco IOS software access-list
command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco
IOS mask uses wildcard bits (for example, 0.0.0.255).
•To make an ACE inactive, use the inactive keyword. To reenable it, enter the entire ACE without the
inactive keyword. This feature enables you to keep a record of an inactive ACE in your configuration
to make
reenabling easier.
•Use the disable option to disable logging for a specified ACE.