Re: [OSL | CCIE_Security] ASA - ACL applied to interface with no ip address

[Mike Rojas]

I was under the impression that if you remove the ACL completely, the 
access-group will be gone. 
Also, if you try to configure the access group and the ACL does not have 
entries it would give you the following error: 

MIKEWSALAB(config)# access-group outside_access_in in interface outside
ERROR: access-list <outside_access_in> does not exist


Mike Rojas



Date: Tue, 9 Jul 2013 20:57:40 +0200
From: pi...@howto.pl
To: ateki...@hotmail.com
CC: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] ASA - ACL applied to interface with no ip 
address


  
    
  
  
    Aaron,

      

      The ACL will work for non-tagged traffic approaching the
      interface.

      

      Regards,

      Piotr

      

      

      On 7/9/13 3:31 PM, Aaron Tekippe wrote:

    
    
      
      Good morning!

        

        If an ACL is applied to an interface without an IP address will
        it have any effect?  Config example as follows.

         

        interface Ethernet0/1

         speed 1000

         duplex full

         nameif DMZ-TRUNK

         security-level 0

         no ip address

        !

        interface Ethernet0/1.1

         vlan 1

         nameif DMZ1

         security-level 50

         ip address 10.1.1.1 255.255.255.0 standby 10.1.1.2

        !

        interface Ethernet0/1.2

         vlan 2

         nameif DMZ2

         security-level 50

         ip address 10.2.1.1 255.255.255.0 standby 10.2.1.2

        !

        interface Ethernet0/1.3

         vlan 3

         nameif DMZ3

         security-level 50

         ip address 10.3.1.1 255.255.255.0 standby 10.3.1.2

        !

        !

        access-group outside_access_in in interface outside

        access-group outside_access_in in interface DMZ-TRUNK

        access-group DMZ-1-access_in in interface DMZ1

        access-group DMZ-2_access_in in interface DMZ2

        access-group DMZ-3_in in interface DMZ3

        

         

        I stumbled upon this configuration yesterday when planning for
        an upgrade.  Any ideas on if this ACL applied to the DMZ-TRUNK
        interface is doing anything? 

         

        Any insight would be appreciated!

         

        Thanks!

        Aaron Tekippe

      
      

      
      

      _______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com
    
    

  


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com                                         
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com