If the question says allow BGP to successfully authenticate and it doesnt specify it (that you need to allow traffic inbound) once the peers are authenticated, you should stop seeing those messages. That being said it is not a requirement and since the questions does not specifies it, you can leave it without the ACL.
Mike. From: [email protected] To: [email protected]; [email protected] Date: Mon, 3 Sep 2012 02:03:01 +0000 CC: [email protected] Subject: Re: [OSL | CCIE_Security] BGP through ASA I may have not be very clear or eloquent asking this question. Would we be punished if add a permissive BGP traffic ACL entry on the ASA outside interface if the session establishes owing to the BGP peer that originates it from behind the ASA? Eugene From: Jay McMickle [mailto:[email protected]] Sent: Sunday, September 02, 2012 7:00 PM To: Fawad Khan Cc: Eugene Pefti; [email protected] Subject: Re: [OSL | CCIE_Security] BGP through ASA Just remember the keyword at the end of the ACL for BGP passing through the ASA. ;) (google that) Regards, Jay McMickle- CCIE #35355 (RS), 3x CCNP (RS,Security,Design) Sent from my iPhone On Sep 2, 2012, at 8:49 PM, Fawad Khan <[email protected]> wrote: For the exam I would do what the task say. And NOT overdo/ or over think. On Sunday, September 2, 2012, Eugene Pefti wrote: I assume it is only for the situation when you need to control outbound traffic. For the purpose of CCIE lab should we bother with outbound ACL? It is trusted traffic per ASA security levels. Sent from iPhone On Sep 2, 2012, at 11:13 AM, "Fawad Khan" <[email protected]> wrote: The best scenario would be to have acl on both interfaces to allow communication from either side. I would Ab inbound acl on the outside interface and inside interface. On Sunday, September 2, 2012, Eugene Pefti wrote: Hello folks, I have a rhetoric question. I believe this is a classic task when BGP peers need to authenticate through the ASA but my question is not about it. One of my BGP peers is on outside of the ASA and the other is inside. The ACL on ASA doesn’t allow BGP traffic from the outside peer and I see corresponding denies when it tries to talk to the inside peer. But nothing prevents the inside peer to establish the active session with its outside peer and they successfully do it. Now the question. Would you add the ACL on the ASA outside interface to allow BGP traffic from the outside peer to the inside one or as long as they can establish the session that originates from the inside BGP peer we are OK? Eugene -- FNK, CCIE Security#35578 -- FNK, CCIE Security#35578 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
