Jason,
If you do a sh access-list do you see the Downloadable ACL in the config
once it's puched to the ASA? Do you have the access-group command configured
on your ASA, becuase the downloadable use it to apply the ACL to the interface
the "access-group" list.
Thanks!
Mike
> Date: Tue, 7 Apr 2009 09:45:01 -0400
> Subject: downloadable ACLs
> From: mcnever_at_gmail.com
> To: ccielab_at_groupstudy.com
>
> I'm having some issues with a downloadable ACL on an ASA and ACS4.2.
>
> I have the authentication on the ASA configed and the ACL gets pushed down
> just fine. I want the ASA to process the downloaded ACL for the user and
> then process the ACL on the in coming interface. Seems simple enough, as i
> understand it thats the default operation.
>
> This is what i'm currently seeing. I have a host on the inside of the ASA
> which, before authenticating can ping a host on the outside of the ASA. I
> see counters on the interface ACL increment when he pings, i get a
response,
> everything is peachy. Once that user authenticates I can pass all the
> traffic permitted in the downloadable ACL and I still see the counters in
> the interface ACL increment but I dont get a responce from the traffic that
> passes on the interface ACL.
>
> Anyone familiar with this?
>
> Thanks
> Jason
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
Received on Tue Apr 07 2009 - 09:54:04 ART
This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:11 ART