06-09-2014 05:40 PM - edited 03-11-2019 09:18 PM
06-09-2014 07:00 PM
An explicit deny allows one to generate log messages for the packets that are denied.
Some organizations use those for analysis and/or blacklisting / shunning of the source IPs.
The other reason I have seen cited is that it keeps some auditors happier to see the explicit denies. :)
06-10-2014 12:08 AM
further adding to marvin's post, we put an explicit deny (on 'outside' interface) in order to customize the logging level and interval of syslog message 106100.
http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp4769049
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: