/////////Different of IOS ACLs and PIX ACLs////////////
IOS router ACLs will use Wildcard mask. Pix ACLs use subnet mask.
Quite often, a wildcard mask can basically be thought of as a subnet mask, with ones and zeros inverted; for example, a wildcard mask of 0.0.0.255 corresponds to a subnet mask of 255.255.255.0. A wildcard mask is usually used in combination with an IP address. For example, in a standard ACL, a statement like the following:
access-list 10 permit 10.0.3.0 0.0.0.255
allows data from subnet 10.0.3.0/24 to pass, that is, the first three bytes must match exactly, whereas all the bits in the fourth octet can take on any value.
////////// Special Feature of Cisco PIX //////////////
PIX only lets you use inbound (to an interface) rules. The PIX default allows traffic from a higher security interface (inside=100) to a lower security interface (outside=0). The return traffic would be allowed, because the PIX would notice the outbound traffic and temporarily open the port for the traffic back in.
////////// Access Control List /////////////////
access-list 101 permit tcp any range 1024 65535 host 192.168.5.1 eq www
access-list 101 permit tcp any host 192.168.5.1 eq www
If both ACE as the above order, Rule 1 will be overide by Rule 2. Thus all port range will allow to access host 192.168.5.1 port 80.