Which option is a key difference between Cisco IOS interface ACL configurations and Cisco ASA appliance interface ACL configurations?
A. The Cisco IOS interface ACL has an implicit permit-all rule at the end of each interface ACL.
B. Cisco IOS supports interface ACL and also global ACL. Global ACL is applied to all interfaces.
C. The Cisco ASA appliance interface ACL configurations use netmasks instead of wildcard masks.
D. The Cisco ASA appliance interface ACL also applies to traffic directed to the IP addresses of the Cisco ASA appliance interfaces.
E. The Cisco ASA appliance does not support standard ACL. The Cisco ASA appliance only support extended ACL.
Correct Answer: C
Explanation/Reference:
Explanation:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_extended.html Additional Guidelines and Limitations
The following guidelines and limitations apply to creating an extended access list:
Then you enter the access-list command for a given access list name, the ACE is added to the end of the access list unless you specify the line number.
Enter the access list name in uppercase letters so that the name is easy to see in the configuration. You might want to name the access list for the interface (for example, INSIDE), or you can name it for the purpose for which it is created (for example, NO_NAT or VPN). Typically, you identify the ip keyword for the protocol, but other protocols are accepted. For a list of protocol names, see the “Protocols and Applications” section. Enter the host keyword before the IP address to specify a single address. In this case, do not enter a mask.
Enter the any keyword instead of the address and mask to specify any address. You can specify the source and destination ports only for the tcp or udp protocols. For a list of
Get Latest & Actual 640-554 Exam’s Question and Answers from Passleader.
http://www.passleader.com
permitted keywords and well-known port assignments, see the “TCP and UDP Ports” section.
DNS, Discard, Echo, Ident,
NTP, RPC, SUNRPC, and Talk each require one definition for TCP and one for UDP. TACACS+ requires one definition for port 49 on TCP.
You can specify the ICMP type only for the icmp protocol. Because ICMP is a connectionless protocol, you either need access lists to allow ICMP in both directions (by applying access lists to the source and destination interfaces), or you need to enable the ICMP inspection engine. (See the “Adding an ICMP Type Object Group” section.) The ICMP inspection engine treats ICMP sessions as stateful connections. To control ping, specify echo-reply (0) (ASA to host) or echo (8) (host to ASA). See the “Adding an ICMP Type Object Group” section for a list of ICMP types. Then you specify a network mask, the method is different from the Cisco IOS software access- list command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255). To make an ACE inactive, use the inactive keyword. To reenable it, enter the entire ACE without the inactive keyword. This feature enables you to keep a record of an inactive ACE in your configuration to make reenabling easier.
Use the disable option to disable logging for a specified ACE.