My question is not platform specific but I manage numerous ASAs and PIXes which is what I am concerned with.
Generally speaking, best practices suggest using an explicit deny with logging at the end of ACLs. My question is very simple. Does this apply only to "interface" ACLs, meaning only for those applied in an access-group statement? OR, does it also apply to "non-inteface" ACLs such as those used for VPN (regardless it it's site-to-site or remote-access)?
It seems that depending on how the ACL is used the addition of an explicit deny may be pointless in the case of some non-interface ACLs. Maybe I'm wrong.
Thanks for your feedback/interpretations/opinions.