Re: downloadable ACLs from Jason Morris on 2009-04-07 (Ccielab archives 04/2009)

From: Jason Morris <mcnever_at_gmail.com>
Date: Tue, 7 Apr 2009 10:05:00 -0400

Mike,
Yes i can see the downloaded ACL when i do a 'show access-list'. I do have
the access-group applied and i am not using the 'per-user-override' keyword,
as so 'access-group acl_in in interface inside'.

Fred,
I'm not sure what you mean by 'Override, not supplement.'. its my
understanding that I do not want override. The documentation I've seen says
that the 'override' tells the ASA to ignore the ACL on the interface.

Thanks
Jason

On Tue, Apr 7, 2009 at 9:55 AM, Fred Reimer <freimer_at_ctiusa.com> wrote:

> Override, not supplement.
>
> Fred Reimer, CCIE 23812, CISSP 107125
> Senior Systems Architect
> Coleman Technologies, Inc.
> 3250 W. Commercial Blvd., Suite 360
> Oakland Park, FL 33309
> Office: 407-481-8600 x1307
> eFAX: 407-284-6681
> Cell: 954-298-1697
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Jason Morris
> Sent: Tuesday, April 07, 2009 9:45 AM
> To: ccielab_at_groupstudy.com
> Subject: downloadable ACLs
>
> I'm having some issues with a downloadable ACL on an ASA and ACS4.2.
>
> I have the authentication on the ASA configed and the ACL gets pushed
> down
> just fine. I want the ASA to process the downloaded ACL for the user
> and
> then process the ACL on the in coming interface. Seems simple enough,
> as i
> understand it thats the default operation.
>
> This is what i'm currently seeing. I have a host on the inside of the
> ASA
> which, before authenticating can ping a host on the outside of the ASA.
> I
> see counters on the interface ACL increment when he pings, i get a
> response,
> everything is peachy. Once that user authenticates I can pass all the
> traffic permitted in the downloadable ACL and I still see the counters
> in
> the interface ACL increment but I dont get a responce from the traffic
> that
> passes on the interface ACL.
>
> Anyone familiar with this?
>
> Thanks
> Jason
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 07 2009 - 10:05:00 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:11 ART