Maybe a question for the proctor
Sent from my iPhone
On Sep 2, 2012, at 22:03, Eugene Pefti <[email protected]> wrote:
I may have not be very clear or eloquent asking this question.
Would we be punished if add a permissive BGP traffic ACL entry on the ASA
outside interface if the session establishes owing to the BGP peer that
originates it from behind the ASA?
Eugene
From: Jay McMickle [mailto:[email protected]]
Sent: Sunday, September 02, 2012 7:00 PM
To: Fawad Khan
Cc: Eugene Pefti; [email protected]
Subject: Re: [OSL | CCIE_Security] BGP through ASA
Just remember the keyword at the end of the ACL for BGP passing through the
ASA. ;) (google that)
Regards,
Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design)
Sent from my iPhone
On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]> wrote:
For the exam I would do what the task say. And NOT overdo/ or over think.
On Sunday, September 2, 2012, Eugene Pefti wrote:
I assume it is only for the situation when you need to control outbound
traffic. For the purpose of CCIE lab should we bother with outbound ACL? It is
trusted traffic per ASA security levels.
Sent from iPhone
On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote:
The best scenario would be to have acl on both interfaces to allow
communication from either side.
I would Ab inbound acl on the outside interface and inside interface.
On Sunday, September 2, 2012, Eugene Pefti wrote:
Hello folks,
I have a rhetoric question.
I believe this is a classic task when BGP peers need to authenticate through
the ASA but my question is not about it.
One of my BGP peers is on outside of the ASA and the other is inside. The ACL
on ASA doesn’t allow BGP traffic from the outside peer and I see corresponding
denies when it tries to talk to the inside peer.
But nothing prevents the inside peer to establish the active session with its
outside peer and they successfully do it.
Now the question. Would you add the ACL on the ASA outside interface to
allow BGP traffic from the outside peer to the inside one or as long as they
can establish the session that originates from the inside BGP peer we are OK?
Eugene
--
FNK, CCIE Security#35578
--
FNK, CCIE Security#35578
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
