Accepted Solutions
Hi Eric,
If you think of sub-interfaces the same way you would if they were seperate physical interfaces, it should help visualise the traffic flows.
1 - PC1 will send data 'inbound' to Gi0/0.10.
2 - ASA will send data 'outbound' via Gi0/0.20 (where PC2 is located)
You could permit or deny ICMP traffic for your example using the direction listed above. When PC2 does an ICMP reply to PC1, the opposite flow comes in to effect.
1 - PC2 sends traffic 'inbound' to Gi0/0.20
2 - ASA sends traffic 'outbound' via Gi0/0.10 (where PC1 is located)
So if you ICMP traffic was being denied from PC1 to PC2, you would have to check both the INBOUND and OUTBOUND ACLs on both interfaces.
Check out the image below. Uses a router and it's SVIs as an example but the concept is the same.
Also remember there is an order of operations, so if you have NAT, application inspection etc, you will have to take this in to consideration too.
Hope this helps
-Brett
Hi Eric,
If you think of sub-interfaces the same way you would if they were seperate physical interfaces, it should help visualise the traffic flows.
1 - PC1 will send data 'inbound' to Gi0/0.10.
2 - ASA will send data 'outbound' via Gi0/0.20 (where PC2 is located)
You could permit or deny ICMP traffic for your example using the direction listed above. When PC2 does an ICMP reply to PC1, the opposite flow comes in to effect.
1 - PC2 sends traffic 'inbound' to Gi0/0.20
2 - ASA sends traffic 'outbound' via Gi0/0.10 (where PC1 is located)
So if you ICMP traffic was being denied from PC1 to PC2, you would have to check both the INBOUND and OUTBOUND ACLs on both interfaces.
Check out the image below. Uses a router and it's SVIs as an example but the concept is the same.
Also remember there is an order of operations, so if you have NAT, application inspection etc, you will have to take this in to consideration too.
Hope this helps
-Brett
