https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936325#M1104877 <P>As far as i know, ISE (AD-auth) is used for authentification. Do i need to change DACL in ISE or FMC?</P> Sun, 08 Oct 2023 18:33:53 GMT oetti 2023-10-08T18:33:53Z https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936304#M1104875 <P>Hi,</P><P>i've an FPR1140 cluster up and running, which was installed and configured by a former service provider. I need to add some networks to&nbsp; the default/standard VPN-ACL which is used by most of our employees. The navigation under "Objects -&gt; Access List -&gt; Extended" is completely empty (see screenshot).</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fmc.PNG" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/199166i6CA488754C832E0A/image-size/medium?v=v2&amp;px=400" role="button" title="fmc.PNG" alt="fmc.PNG" /></span></P><P>The cli instead shows the current policy which needs to be modified. Where can i add an additional entry to this acl to permit access to a new network on our site? (I've replaced some IPs/networks for security reasons).</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="cpp">&gt; show access-list | grep vpn access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49; 8 elements; name hash: 0x8b430b4d (dynamic) access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 1 extended permit udp any4 host 1.1.1.1 eq domain (hitcnt=40344) 0xc119c88e access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 2 extended permit ip any4 192.168.1.0 255.255.255.0 (hitcnt=994) 0x5d410ef2 access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 3 extended permit ip any4 192.168.2.0 255.255.255.0 (hitcnt=9197) 0x0ee616d8 [... add. rules here ...] access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 8 extended deny ip any4 any4 (hitcnt=26451) 0x18154f61</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>oetti</P><P>&nbsp;</P> Sun, 08 Oct 2023 16:37:11 GMT https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936304#M1104875 oetti 2023-10-08T16:37:11Z https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936315#M1104876 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1609257">@oetti</a> #<STRONG>ACSACL</STRONG># implies a Downloadable ACL (DACL) has been applied, do you authenticate the users via RADIUS (ISE or ACS)? If so amend the DACL there.</P> <P>&nbsp;</P> Sun, 08 Oct 2023 17:45:16 GMT https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936315#M1104876 Rob Ingram 2023-10-08T17:45:16Z https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936325#M1104877 <P>As far as i know, ISE (AD-auth) is used for authentification. Do i need to change DACL in ISE or FMC?</P> Sun, 08 Oct 2023 18:33:53 GMT https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936325#M1104877 oetti 2023-10-08T18:33:53Z https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936328#M1104878 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1609257">@oetti</a> the DACL is deployed from ISE. Modify the DACL referenced in the authorisation profile - <A href="https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html</A></P> <P>&nbsp;</P> Sun, 08 Oct 2023 18:37:28 GMT https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936328#M1104878 Rob Ingram 2023-10-08T18:37:28Z https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936469#M1104887 <P>Thanks Rob.</P><P>I've changed the DACL content in ISE and it works as expected.</P> Mon, 09 Oct 2023 08:58:48 GMT https://community.cisco.com/t5/network-security/find-extended-acls-in-fmc/m-p/4936469#M1104887 oetti 2023-10-09T08:58:48Z