11-09-2009 10:37 AM - edited 03-11-2019 09:38 AM
When using downloadable ACLs it is my understanding that you specify a source address of "any" to represent the IP of the host authenticating to the FW. Is this true?
Assuming this is true, what would happen if you specified a host address in the downloadable ACL as opposed to using "any"? Would it then enforce that ACL? So I could maybe authenticate to the firewall as "BackupAdmin" and have it download an ACL which allows Server A to connect to the backup server? Even if I was authenticating from say, my workstation?
12-02-2009 09:40 AM
When using downloadable ACLs it is my understanding that you specify a source address of "any" to represent the IP of the host authenticating to the FW. Is this true?
- True, unless you bound the DACL to the user and that user always use a static ip address.
Assuming this is true, what would happen if you specified a host address in the downloadable ACL as opposed to using "any"? Would it then enforce that ACL?
- The DACL will always be enforced whether you use any or host ip address, however if the ip address used as source does not match the DACL then it will always deny traffic.
Don't Follow the one below:
So I could maybe authenticate to the firewall as "BackupAdmin" and have it download an ACL which allows Server A to connect to the backup server? Even if I was authenticating from say, my workstation?
What do you mean with that?
12-02-2009 01:18 PM
I am thinking (based on your response) that what I want to do is not possible.....
The fundamental functionality of a DACL is a user has limited access, they hit the firewall, authenticate, and a new set of rules is applied which allows new access.
The intention of this (and possibly the only way it works) is for my workstation to have no access, my workstation to authenticate, and my workstation to have additional access. What I was inquiring about is the ability for a DACL to impact an unrelated system.
so for example, my workstation has full access to everythng, but Server A cannot talk to Server B. Could I hit the firewall from my workstation, authenticate, and download an ACL that allows server A to then communicate with server B?
12-02-2009 01:27 PM
I don't think that works that way since the DACL is downloaded per session, it has an identifier that applies only for the user that authenticates.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: