12-08-2016 11:31 AM - edited 03-12-2019 01:38 AM
Hello,
I have two "outside" sub-interfaces on my ASA5510:
interface Ethernet0/0
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet0/0.10
vlan 10
nameif isp1
security-level 0
ip address 74.123.123.123 255.255.255.0 standby 74.123.123.124
!
interface Ethernet0/0.20
vlan 20
nameif isp2
security-level 0
ip address 75.123.123.123 255.255.255.0 standby 75.123.123.124
I have only the following command in the configuration applying an access-list (not shown): access-group outside in interface isp1
Questions:
1. Am I correct in stating that only the .10 sub-interface has the access-list applied, and that the access-list does NOT apply to the .20 sub-interface?
2. If I wanted to apply an access-list to the .20 interface, I can utilize the same access list with the command: access-group outside in interface isp2 OR do I need to create a duplicate ACL and apply with exampled command: access-group outside20 in interface isp2?
3. Alternately, if I name the E0/0 interface nameif outside, can I simply change my existing command: access-group outside in interface isp1 to access-group outside in interface outside and have the ACL apply to both sub-interfaces?
Please note: Due to the inside and dmz configuration, we are not comfortable utilizing the global command. I thank you in advance for insight.
Solved! Go to Solution.
12-08-2016 02:23 PM
You are correct, your access-group outside in interface isp1 only applies to your named interface "isp1" if you want to use it twice, you will need to assign it to named interface isp2 as well:
access-group outside in interface isp2
even though that is physically the same interface, they are 2 separate Layer 3 interfaces
12-08-2016 02:23 PM
You are correct, your access-group outside in interface isp1 only applies to your named interface "isp1" if you want to use it twice, you will need to assign it to named interface isp2 as well:
access-group outside in interface isp2
even though that is physically the same interface, they are 2 separate Layer 3 interfaces
12-08-2016 02:41 PM
Thank You. That was my assumption, but confirmation is always best. I did find out after posting that Cisco does not support an E0/0 access-list propagation to E0/0.X sub-interfaces. Therefore, question 3 is mute, and you confirmed 1 & 2. Thank You!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide