Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
0
Helpful
2
Replies

Same ACL applied to different sub-interfaces on ASA5510 or not.

Go to solution
sherman.melik
Level 1
Level 1

‎12-08-2016 11:31 AM - edited ‎03-12-2019 01:38 AM

Hello,

I have two "outside" sub-interfaces on my ASA5510:

interface Ethernet0/0
 speed 1000
 duplex full
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0.10
 vlan 10
 nameif isp1
 security-level 0
 ip address 74.123.123.123 255.255.255.0 standby 74.123.123.124
!
interface Ethernet0/0.20
 vlan 20
 nameif isp2
 security-level 0
 ip address 75.123.123.123 255.255.255.0 standby 75.123.123.124

I have only the following command in the configuration applying an access-list (not shown):  access-group outside in interface isp1

Questions:

1. Am I correct in stating that only the .10 sub-interface has the access-list applied, and that the access-list does NOT apply to the .20 sub-interface?

2. If I wanted to apply an access-list to the .20 interface, I can utilize the same access list with the command: access-group outside in interface isp2  OR do I need to create a duplicate ACL and apply with exampled command: access-group outside20 in interface isp2?

3. Alternately, if I name the E0/0 interface nameif outside, can I simply change my existing command: access-group outside in interface isp1 to access-group outside in interface outside and have the ACL apply to both sub-interfaces?

Please note: Due to the inside and dmz configuration, we are not comfortable utilizing the global command. I thank you in advance for insight.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎12-08-2016 02:23 PM

You are correct, your  access-group outside in interface isp1  only applies  to your named interface "isp1" if you want to use it twice, you will need to assign it to named interface isp2 as well:

access-group outside in interface isp2

even though that is physically the same interface, they are 2 separate Layer 3 interfaces

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎12-08-2016 02:23 PM

You are correct, your  access-group outside in interface isp1  only applies  to your named interface "isp1" if you want to use it twice, you will need to assign it to named interface isp2 as well:

access-group outside in interface isp2

even though that is physically the same interface, they are 2 separate Layer 3 interfaces

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
sherman.melik
Level 1
Level 1
In response to Dennis Mink

‎12-08-2016 02:41 PM

Thank You.  That was my assumption, but confirmation is always best.  I did find out after posting that Cisco does not support an E0/0 access-list propagation to E0/0.X sub-interfaces.  Therefore, question 3 is mute, and you confirmed 1 & 2.  Thank You!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card