cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
769
Views
0
Helpful
1
Replies

ASA - Subinterface ACL's, how do they work?

Eric Snijders
Level 1
Level 1

I'm having a hard time "tracing" how ACL's on subinterfaces on a Cisco ASA work.

 

Let's create a simple scenario:

- ASA Gi0/0: trunk to SW01 Gi0/0

- ASA Gi0/0.10: VLAN10 subinterface

- ASA Gi0/0.20: VLAN20 subinterface

- SW01 has both VLAN's and Gi0/0 configured as trunk without any pruning/acl's or whatsoever

- PC1 in VLAN10 connected to SW01

- PC2 in VLAN20 connected to SW01

 

Now the question: how should i interpret this ACL-wise when i ping from PC1 to PC2. If you look at the ASA, is it only incomming in VLAN10? Or is it also incomming in VLAN20 since the ping needs to go back also...

1 Accepted Solution

Accepted Solutions

Brett Verney
Level 1
Level 1

Hi Eric,

 

If you think of sub-interfaces the same way you would if they were seperate physical interfaces, it should help visualise the traffic flows.

 

1 - PC1 will send data 'inbound' to Gi0/0.10.

2 - ASA will send data 'outbound' via Gi0/0.20 (where PC2 is located)

 

You could permit or deny ICMP traffic for your example using the direction listed above. When PC2 does an ICMP reply to PC1, the opposite flow comes in to effect.

 

1 - PC2 sends traffic 'inbound' to Gi0/0.20

2 - ASA sends traffic 'outbound' via Gi0/0.10 (where PC1 is located)

 

So if you ICMP traffic was being denied from PC1 to PC2, you would have to check both the INBOUND and OUTBOUND ACLs on both interfaces.

 

Check out the image below. Uses a router and it's SVIs as an example but the concept is the same.

index.png

 

 Also remember there is an order of operations, so if you have NAT, application inspection etc, you will have to take this in to consideration too.

 

Hope this helps

 

-Brett

 

 

View solution in original post

1 Reply 1

Brett Verney
Level 1
Level 1

Hi Eric,

 

If you think of sub-interfaces the same way you would if they were seperate physical interfaces, it should help visualise the traffic flows.

 

1 - PC1 will send data 'inbound' to Gi0/0.10.

2 - ASA will send data 'outbound' via Gi0/0.20 (where PC2 is located)

 

You could permit or deny ICMP traffic for your example using the direction listed above. When PC2 does an ICMP reply to PC1, the opposite flow comes in to effect.

 

1 - PC2 sends traffic 'inbound' to Gi0/0.20

2 - ASA sends traffic 'outbound' via Gi0/0.10 (where PC1 is located)

 

So if you ICMP traffic was being denied from PC1 to PC2, you would have to check both the INBOUND and OUTBOUND ACLs on both interfaces.

 

Check out the image below. Uses a router and it's SVIs as an example but the concept is the same.

index.png

 

 Also remember there is an order of operations, so if you have NAT, application inspection etc, you will have to take this in to consideration too.

 

Hope this helps

 

-Brett

 

 

Review Cisco Networking for a $25 gift card