Which statement about the default ACL logging behavior of the Cisco ASA is true?
A.
The Cisco ASA generates system message 106023 for each denied packet when a deny ACE is configured
B.
The Cisco ASA generates system message 106023 for each packet that matched an ACE.
C.
The Cisco ASA generates system message 106100 only for the first packet that matched an ACE.
D.
The Cisco ASA generates system message 106100 for each packet that matched an ACE.
E.
No ACL logging is enabled by default.
A; The Cisco ASA generates system message 106023 for each denied packet when a deny ACE is configured
106023
This section contains messages from 106023 to 199006.
Error Message %ACE-4-106023: Deny protocol number | name src incoming-interface:src-ip dst outgoing-interface:dst-ip by access-group “acl-name”
Explanation An IP packet was denied by the ACL. This message displays even if you do not have the log option enabled for an ACL. If a packet hits an input ACL, the outgoing interface will not be known. In this case, the VFW application prints the outgoing interface as undetermined. The source IP and destination IP addresses are the unmapped and mapped addresses for the input and output ACLs, respectively, when used with NAT.
Recommended Action If messages persist from the same source address, messages might indicate a foot-printing or port-scanning attempt. Contact the remote host administrators.
A