Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Subinterface Access-List Application


I had a situation where traffic needed to be blocked from one subinterface on the ASA to another, Security-level was setup the same with appropriate NAT and intra security level permissions. The thing was that the ACL needed to be placed signifying source port as opposed to destination port. When i applied the ACL to the subinterface i wanted to secure, nothing worked. I then checked ASDM and the output looked strange (no source ports were being listed).

I guess my question is can you limit traffic by source ports on an ASA using extended access-lists inbound to a subinterface that will scrutinize traffic

For instance,

My subif would be

int f0/0.5

ip address

nameif dmz

access-list ch permit tcp host eq 4200 host

access-group ch in interface dmz

Will this access-list allow tcp traffic from on port 4200 to any tcp port on and deny all others?


Re: ASA Subinterface Access-List Application

Yes, it should.

New Member

Re: ASA Subinterface Access-List Application

Thank you for the response, much appreciated.

As a followup does ASDM not like to display source ports when viewing the ACL in ASDM utility?



Re: ASA Subinterface Access-List Application

Where exactly in the ASDM are you referring to? There doesn't seem to be a column for source port on the config -> security policy page, only destination port.

New Member

Re: ASA Subinterface Access-List Application

thats exactly where i was looking, just thought it was strange.. thank you for your responses and their prompt nature