PrepAway - Latest Free Exam Questions & Answers

Which option is a key difference between Cisco IOS interface ACL configurations and Cisco ASA appliance interf

Which option is a key difference between Cisco IOS interface ACL configurations and Cisco ASA
appliance interface ACL configurations?

PrepAway - Latest Free Exam Questions & Answers

A.
The Cisco IOS interface ACL has an implicit permit-all rule at the end of each interface ACL.

B.
Cisco IOS supports interface ACL and also global ACL. Global ACL is applied to all interfaces.

C.
The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard
masks.

D.
The Cisco ASA appliance interface ACL also applies to traffic directed to the IP addresses of
the Cisco ASA appliance interfaces.

E.
The Cisco ASA appliance does not support standard ACL. The Cisco ASA appliance only
support extended ACL.

Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_extended.html
Additional Guidelines and Limitations
The following guidelines and limitations apply to creating an extended access list:
•When you enter the access-list command for a given access list name, the ACE is added to the
end of the access list unless you specify the line number.
•Enter the access list name in uppercase letters so that the name is easy to see in the
configuration. You might want to name the access list for the interface (for example, INSIDE), or
you can name it for the purpose for which it is created (for example, NO_NAT or VPN).
•Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list
of protocol names, see the “Protocols and Applications” section.
•Enter the host keyword before the IP address to specify a single address. In this case, do not
enter a mask.
Enter the any keyword instead of the address and mask to specify any address.
•You can specify the source and destination ports only for the tcp or udp protocols. For a list of
permitted keywords and well-known port assignments, see the “TCP and UDP Ports” section.
DNS, Discard, Echo, Ident,
NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+
requires one definition for port 49 on TCP.
•You can specify the ICMP type only for the icmp protocol. Because ICMP is a connectionless
protocol, you either need access lists to allow ICMP in both directions (by applying access lists to
the source and destination interfaces), or you need to enable the ICMP inspection engine. (See
the “Adding an ICMP Type Object Group” section.) The ICMP inspection engine treats ICMP

sessions as stateful connections. To control ping, specify echo-reply (0) (ASA to host) or echo (8)
(host to ASA). See the “Adding an ICMP Type Object Group” section for a list of ICMP types.
•When you specify a network mask, the method is different from the Cisco IOS software accesslist command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask).
The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
•To make an ACE inactive, use the inactive keyword. To reenable it, enter the entire ACE without
the inactive keyword. This feature enables you to keep a record of an inactive ACE in your
configuration to make
reenabling easier.
•Use the disable option to disable logging for a specified ACE.


Leave a Reply