I assume it is only for the situation when you need to control outbound traffic. For the purpose of CCIE lab should we bother with outbound ACL? It is trusted traffic per ASA security levels.
Sent from iPhone On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]<mailto:[email protected]>> wrote: The best scenario would be to have acl on both interfaces to allow communication from either side. I would Ab inbound acl on the outside interface and inside interface. On Sunday, September 2, 2012, Eugene Pefti wrote: Hello folks, I have a rhetoric question. I believe this is a classic task when BGP peers need to authenticate through the ASA but my question is not about it. One of my BGP peers is on outside of the ASA and the other is inside. The ACL on ASA doesn’t allow BGP traffic from the outside peer and I see corresponding denies when it tries to talk to the inside peer. But nothing prevents the inside peer to establish the active session with its outside peer and they successfully do it. Now the question. Would you add the ACL on the ASA outside interface to allow BGP traffic from the outside peer to the inside one or as long as they can establish the session that originates from the inside BGP peer we are OK? Eugene -- FNK, CCIE Security#35578
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
