Re: downloadable ACLs

After looking a little a closer at the ASA it appears that my pings, after
authentication aren't making it to the outside interface. The interface
counters aren't incrementing. But it does match on the inside ACL on a
permit line. So it looks like there is another reason that its stopping the
traffic after i authenticate.

Luan, thats my understanding as well, if i correctly understand what your
saying.

Without the 'per-user-override' command i should be allowed to pass traffic
that is permitted in the interface ACL, right?

Like i said i'm matching on a permit line on the inbound ACL, but the
traffic isn't leaving the ASA on the outside interface.

I've poked around and tried to run some debugs but i'm not famliar enough
with ASA's. I've ran a debug icmp trace and i get no output. Am i missing
something on the whole debugging thing with the ASA, does it not work the
same way?

Thanks
Jason

On Tue, Apr 7, 2009 at 11:40 AM, Luan Nguyen <luan_at_netcraftsmen.net> wrote:

> The downloadable ACL defines what the user is authorized to access after
> successful authentication. There are 2 ways:
> First, requires that the same access provided through the downloadable ACL
> also exists in the interface ACL.
> 1) authentication and authorization ACLs are checked
> 2) Interface ACL is checked.
> After successful authorization, the traffic is then checked by the
> interface
> ACL.
> Second, is the "per-user-override"
>
> There's a really good document on troubleshooting ASA that we did for the
> Mid Atlantic Cisco User Group here:
>
> http://www.netcraftsmen.net/cmug/20090115-CMUG-Troubleshooting_Firewalls.pdf
>
> Regards,
>
>
> ----------------------------------------------------------------------------
> ---------
> Luan Nguyen
> Chesapeake NetCraftsmen, LLC.
> http://www.netcraftsmen.net
> ------------------------------------------------------------------------
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Jason Morris
> Sent: Tuesday, April 07, 2009 9:45 AM
> To: ccielab_at_groupstudy.com
> Subject: downloadable ACLs
>
> I'm having some issues with a downloadable ACL on an ASA and ACS4.2.
>
> I have the authentication on the ASA configed and the ACL gets pushed down
> just fine. I want the ASA to process the downloaded ACL for the user and
> then process the ACL on the in coming interface. Seems simple enough, as i
> understand it thats the default operation.
>
> This is what i'm currently seeing. I have a host on the inside of the ASA
> which, before authenticating can ping a host on the outside of the ASA. I
> see counters on the interface ACL increment when he pings, i get a
> response,
> everything is peachy. Once that user authenticates I can pass all the
> traffic permitted in the downloadable ACL and I still see the counters in
> the interface ACL increment but I dont get a responce from the traffic that
> passes on the interface ACL.
>
> Anyone familiar with this?
>
> Thanks
> Jason
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 07 2009 - 12:09:55 ART