RE: downloadable ACLs

On the ASA, configure an ACL to match the traffic and capture it with
the capture command. You can download the capture at
https://asaip/capture/capname/pcap where capname is the name of the
capture you configure. Format can be read by WireShark.

The packet tracker is also very useful, and probably would let you see
what is going on in more detail.

Fred Reimer, CCIE 23812, CISSP 107125
Senior Systems Architect
Coleman Technologies, Inc.
3250 W. Commercial Blvd., Suite 360
Oakland Park, FL 33309
Office: 407-481-8600 x1307
eFAX: 407-284-6681
Cell: 954-298-1697

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Jason Morris
Sent: Tuesday, April 07, 2009 12:10 PM
To: Luan Nguyen
Cc: ccielab_at_groupstudy.com
Subject: Re: downloadable ACLs

After looking a little a closer at the ASA it appears that my pings,
after
authentication aren't making it to the outside interface. The interface
counters aren't incrementing. But it does match on the inside ACL on a
permit line. So it looks like there is another reason that its stopping
the
traffic after i authenticate.

Luan, thats my understanding as well, if i correctly understand what
your
saying.

Without the 'per-user-override' command i should be allowed to pass
traffic
that is permitted in the interface ACL, right?

Like i said i'm matching on a permit line on the inbound ACL, but the
traffic isn't leaving the ASA on the outside interface.

I've poked around and tried to run some debugs but i'm not famliar
enough
with ASA's. I've ran a debug icmp trace and i get no output. Am i
missing
something on the whole debugging thing with the ASA, does it not work
the
same way?

Thanks
Jason

On Tue, Apr 7, 2009 at 11:40 AM, Luan Nguyen <luan_at_netcraftsmen.net>
wrote:

> The downloadable ACL defines what the user is authorized to access
after
> successful authentication. There are 2 ways:
> First, requires that the same access provided through the downloadable
ACL
> also exists in the interface ACL.
> 1) authentication and authorization ACLs are checked
> 2) Interface ACL is checked.
> After successful authorization, the traffic is then checked by the
> interface
> ACL.
> Second, is the "per-user-override"
>
> There's a really good document on troubleshooting ASA that we did for
the
> Mid Atlantic Cisco User Group here:
>
>
http://www.netcraftsmen.net/cmug/20090115-CMUG-Troubleshooting_Firewalls
.pdf
>
> Regards,
>
>
>
------------------------------------------------------------------------

----
> ---------
> Luan Nguyen
> Chesapeake NetCraftsmen, LLC.
> http://www.netcraftsmen.net
>
------------------------------------------------------------------------
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
Of
> Jason Morris
> Sent: Tuesday, April 07, 2009 9:45 AM
> To: ccielab_at_groupstudy.com
> Subject: downloadable ACLs
>
> I'm having some issues with a downloadable ACL on an ASA and ACS4.2.
>
> I have the authentication on the ASA configed and the ACL gets pushed
down
> just fine.  I want the ASA to process the downloaded ACL for the user
and
> then process the ACL on the in coming interface.  Seems simple enough,
as i
> understand it thats the default operation.
>
> This is what i'm currently seeing.  I have a host on the inside of the
ASA
> which, before authenticating can ping a host on the outside of the
ASA.  I
> see counters on the interface ACL increment when he pings, i get a
> response,
> everything is peachy.  Once that user authenticates I can pass all the
> traffic permitted in the downloadable ACL and I still see the counters
in
> the interface ACL increment but I dont get a responce from the traffic
that
> passes on the interface ACL.
>
> Anyone familiar with this?
>
> Thanks
> Jason
>
>
> Blogs and organic groups at http://www.ccie.net
>
>