https://community.cisco.com/t5/network-access-control/ise-dacl-differnet-than-what-switch-is-applying/m-p/4990221#M586079 <P>That was it - the syntax was valid against the ISE checker with a standard subnet.&nbsp;</P> Thu, 04 Jan 2024 17:20:44 GMT Chris S 2024-01-04T17:20:44Z https://community.cisco.com/t5/network-access-control/ise-dacl-differnet-than-what-switch-is-applying/m-p/4989906#M586066 <P>Deploying ISE and trying to finalize some restrictions.&nbsp; It seems the DACL defined in ISE is not what the switch is applying to the port. Any ideas why the switch is changing the deny statements?&nbsp;</P><UL><LI>ISE 3.1 (patch <span class="lia-unicode-emoji" title=":smiling_face_with_sunglasses:">😎</span></LI><LI>C1000-8FP-E-2G-L</LI></UL><P>Here is what we have defined in ISE:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ise_dacl.jpg" style="width: 373px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/206427i1926C0D5B9D08FF4/image-size/medium?v=v2&amp;px=400" role="button" title="ise_dacl.jpg" alt="ise_dacl.jpg" /></span></P><P>Here is what the switch is applying:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sw_dacl.jpg" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/206428i8948A4E7B23B69F8/image-size/medium?v=v2&amp;px=400" role="button" title="sw_dacl.jpg" alt="sw_dacl.jpg" /></span></P> Thu, 04 Jan 2024 13:24:20 GMT https://community.cisco.com/t5/network-access-control/ise-dacl-differnet-than-what-switch-is-applying/m-p/4989906#M586066 Chris S 2024-01-04T13:24:20Z https://community.cisco.com/t5/network-access-control/ise-dacl-differnet-than-what-switch-is-applying/m-p/4989909#M586067 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/285637">@Chris S</a> use the wildcard not the subnet mask when configuring the DACL.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RobIngram_0-1704378645343.png" style="width: 352px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/206446i5EC8A55C08004C30/image-dimensions/352x277?v=v2" width="352" height="277" role="button" title="RobIngram_0-1704378645343.png" alt="RobIngram_0-1704378645343.png" /></span></P> <P>Also you can use <STRONG>Check DACL Syntax</STRONG> to confirm the syntax is correct.</P> <P>&nbsp;</P> Thu, 04 Jan 2024 14:31:33 GMT https://community.cisco.com/t5/network-access-control/ise-dacl-differnet-than-what-switch-is-applying/m-p/4989909#M586067 Rob Ingram 2024-01-04T14:31:33Z https://community.cisco.com/t5/network-access-control/ise-dacl-differnet-than-what-switch-is-applying/m-p/4990221#M586079 <P>That was it - the syntax was valid against the ISE checker with a standard subnet.&nbsp;</P> Thu, 04 Jan 2024 17:20:44 GMT https://community.cisco.com/t5/network-access-control/ise-dacl-differnet-than-what-switch-is-applying/m-p/4990221#M586079 Chris S 2024-01-04T17:20:44Z https://community.cisco.com/t5/network-access-control/ise-dacl-differnet-than-what-switch-is-applying/m-p/5247117#M594205 <P>This is clear.</P> <P>Based on this documentation:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference-convert/A-H/cmdref1/a2.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference-convert/A-H/cmdref1/a2.html</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/access-acls.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/access-acls.html</A></P> <H3 class="title sectiontitle">Additional Guidelines</H3> <UL class="ul"> <LI id="ID-2069-000000e9__li_659CCCDEBD824BE7ABC60A86DDEA73CA" class="li"> <P class="p">When you specify a network mask, the method is different from the Cisco IOS software <STRONG id="ID-2069-000000e9__ID-2069-000000fd" class="ph b">access-list</STRONG> command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).</P> </LI> </UL> <P>So for switch/wlc you should write down dACL in ISE with wildcard on your mind, but what about ASA in this case ?</P> <P>So am I right if I said it has different result when I use the same dACL in one case for:</P> <P>- with switch/wlc</P> <P>and</P> <P>on another case for ASA/FTD ?</P> <P>&nbsp;</P> <P>For example in case I need to allow comunication from any to X.Y.0.0/16.</P> <P>I should solve it like this:</P> <P>permit ip any X.Y.0.0 0.0.255.255 syntax for dacl used in authz prof for switch/wlc.</P> <P>but I should use different dACL syntax for ASA/FTD:</P> <P>permit ip any X.Y.0.0 255.255.0.0 syntax for dacl used in authz prof for asa/ftd.</P> <P>or</P> <P>I could use the same dACL for switch/wlc, but than I have to use acl-netmask-convert in AAA radius server group in ASA/FTD either with auto-detect or wildcard.</P> <P>I assume using dACL with wildcard syntax needed for switch/wlc in case with ASA breaks thinks with error something like this.<BR /><BR /><SPAN>ERROR: IP address,mask &lt;X.Y.0.0,0.0.255.255&gt; doesn't pair</SPAN></P> <P>Am I right ?</P> <SECTION> <H2 class="pCRC_CmdRefCommand">acl-netmask-convert</H2> <P class="pB1_Body1"><A name="pgfId-1712777" target="_blank"></A>To specify how the ASA treats netmasks received in a downloadable ACL from a RADIUS server that is accessed by using the <STRONG class="cCN_CmdName"> aaa-server host </STRONG> command, use the acl-netmask-convert command in aaa-server host configuration mode. To remove the specified behavior for the ASA, use the <STRONG class="cCN_CmdName"> no</STRONG> form of this command.</P> <P class="pCENB_CmdEnv_NoBold"><A name="pgfId-1712784" target="_blank"></A><STRONG class="cCN_CmdName"> acl-netmask-convert</STRONG> {<STRONG class="cCN_CmdName"> auto-detect</STRONG> | <STRONG class="cCN_CmdName"> standard</STRONG> | <STRONG class="cCN_CmdName"> wildcard</STRONG> }</P> <P class="pCENB_CmdEnv_NoBold"><A name="pgfId-1712785" target="_blank"></A><STRONG class="cBold"> no acl-netmask-convert</STRONG></P> <SECTION> <H3 class="pCRSD_CmdRefSynDesc">Syntax Description</H3> <SECTION> <DIV class="tableContainer"> <TABLE border="1" width="96%" cellspacing="0" cellpadding="3"> <TBODY> <TR align="left" valign="top"> <TD> <P class="pB1_Body1"><A name="pgfId-1712788" target="_blank"></A><STRONG class="cCN_CmdName"> auto-detect</STRONG></P> </TD> <TD> <P class="pB1_Body1"><A name="pgfId-1712792" target="_blank"></A>Specifies that the ASA should attempt to determine the type of netmask expression used. If the ASA detects a wildcard netmask expression, it converts it to a standard netmask expression. See “Usage Guidelines” for more information about this keyword.</P> </TD> </TR> <TR align="left" valign="top"> <TD> <P class="pB1_Body1"><A name="pgfId-1712795" target="_blank"></A>standard</P> </TD> <TD> <P class="pB1_Body1"><A name="pgfId-1712799" target="_blank"></A>Specifies that the ASA assumes downloadable ACLs received from the RADIUS server contain only standard netmask expressions. No translation from wildcard netmask expressions is performed.</P> </TD> </TR> <TR align="left" valign="top"> <TD> <P class="pB1_Body1"><A name="pgfId-1712802" target="_blank"></A>wildcard</P> </TD> <TD> <P class="pB1_Body1"><A name="pgfId-1712806" target="_blank"></A>Specifies that the ASA assumes downloadable ACLs received from the RADIUS server contain only wildcard netmask expressions and converts them all to standard netmask expressions when the ACLs are downloaded.</P> </TD> </TR> </TBODY> </TABLE> </DIV> </SECTION> </SECTION> <SECTION> <H3 class="pCRD_CmdRefDefaults">Defaults</H3> <P class="pB1_Body1"><A name="pgfId-1712810" target="_blank"></A>By default, no conversion from wildcard netmask expressions is performed.</P> <P class="pB1_Body1"><A name="pgfId-1712872" target="_blank"></A>Usage Guidelines</P> </SECTION> </SECTION> <SECTION> <SECTION> <P class="pB1_Body1"><A name="pgfId-1712874" target="_blank"></A>Use the <STRONG class="cBold"> acl-netmask-convert</STRONG> command with the wildcard or auto-detect keywords when a RADIUS server provides downloadable ACLs that contain netmasks in wildcard format. The ASA expects downloadable ACLs to contain standard netmask expressions whereas Cisco VPN 3000 series concentrators expect downloadable ACLs to contain wildcard netmask expressions, which are the reverse of a standard netmas expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match.The <STRONG class="cBold"> acl-netmask-convert</STRONG> command helps minimize the effects of these differences upon how you configure downloadable ACLs on your RADIUS servers.</P> <P class="pB1_Body1"><A name="pgfId-1712878" target="_blank"></A>The <STRONG class="cBold"> auto-detect</STRONG> keyword is helpful when you are uncertain how the RADIUS server is configured; however, wildcard netmask expressions with “holes” in them cannot be unambiguously detected and converted. For example, the wildcard netmask 0.0.255.0 permits anything in the third octet and can be used validly on Cisco VPN 3000 series concentrators, but the ASA may not detect this expression as a wildcard netmask.</P> </SECTION> </SECTION> Tue, 14 Jan 2025 17:56:17 GMT https://community.cisco.com/t5/network-access-control/ise-dacl-differnet-than-what-switch-is-applying/m-p/5247117#M594205 stayd 2025-01-14T17:56:17Z