The best scenario would be to have acl on both interfaces to allow communication from either side. I would Ab inbound acl on the outside interface and inside interface.
On Sunday, September 2, 2012, Eugene Pefti wrote: > Hello folks,**** > > I have a rhetoric question.**** > > I believe this is a classic task when BGP peers need to authenticate > through the ASA but my question is not about it.**** > > One of my BGP peers is on outside of the ASA and the other is inside. The > ACL on ASA doesn’t allow BGP traffic from the outside peer and I see > corresponding denies when it tries to talk to the inside peer.**** > > But nothing prevents the inside peer to establish the active session with > its outside peer and they successfully do it.**** > > Now the question. Would you add the ACL on the ASA outside interface to > allow BGP traffic from the outside peer to the inside one or as long as > they can establish the session that originates from the inside BGP peer we > are OK?**** > > ** ** > > Eugene**** > > ** ** > -- FNK, CCIE Security#35578
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
