RE: downloadable ACLs

The downloadable ACL defines what the user is authorized to access after
successful authentication. There are 2 ways:
First, requires that the same access provided through the downloadable ACL
also exists in the interface ACL.
1) authentication and authorization ACLs are checked
2) Interface ACL is checked.
After successful authorization, the traffic is then checked by the interface
ACL.
Second, is the "per-user-override"

There's a really good document on troubleshooting ASA that we did for the
Mid Atlantic Cisco User Group here:
http://www.netcraftsmen.net/cmug/20090115-CMUG-Troubleshooting_Firewalls.pdf

Regards,

----------------------------------------------------------------------------
---------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
http://www.netcraftsmen.net
------------------------------------------------------------------------

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Jason Morris
Sent: Tuesday, April 07, 2009 9:45 AM
To: ccielab_at_groupstudy.com
Subject: downloadable ACLs

I'm having some issues with a downloadable ACL on an ASA and ACS4.2.

I have the authentication on the ASA configed and the ACL gets pushed down
just fine. I want the ASA to process the downloaded ACL for the user and
then process the ACL on the in coming interface. Seems simple enough, as i
understand it thats the default operation.

This is what i'm currently seeing. I have a host on the inside of the ASA
which, before authenticating can ping a host on the outside of the ASA. I
see counters on the interface ACL increment when he pings, i get a response,
everything is peachy. Once that user authenticates I can pass all the
traffic permitted in the downloadable ACL and I still see the counters in
the interface ACL increment but I dont get a responce from the traffic that
passes on the interface ACL.

Anyone familiar with this?

Thanks
Jason

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 07 2009 - 11:40:54 ART