Solved: Cisco ISE 2.1 - How to put ESP/AH in downloadable ACL ???

Frank Lothar Weber · ‎02-08-2017

Hi, folks.

Maybe somebody can give me a hint with this :

It seems like it is not possible to implement a downloadable ACL on ISE, that allows ESP or AH (protocols 50 and 51) .....

You cannot save the DACL like this. Is that supposed to be like this ??

The funny thing is, esp WAS already in that DACL, it has been put in a long time ago (maybe under ISE 1.2 or 1.3 which then got upgraded to 2.1), I tried to add another line to it and then I cannot save it anymore, unless I remove ESP from it.

Same goes for protocol AH ....

I do not believe that it is supposed to be like this, however, if it really is:

How can I put ESP and AH to be allowed in a downloadable ACL on ISE 2.1 ????

Rgs

Frank

Rahul Govindan · ‎02-08-2017

I think this might be a problem with the DACL syntax checker itself. I think DACL support has always been ip, tcp, udp and icmp, even in 1.3:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010100.html#ID448

You should still be able to save this (will give you a warning) and test if this gets downloaded to the switch. I was able to save mine after ignoring the warning.

View solution in original post

Rahul Govindan · ‎02-08-2017

I think this might be a problem with the DACL syntax checker itself. I think DACL support has always been ip, tcp, udp and icmp, even in 1.3:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_010100.html#ID448

You should still be able to save this (will give you a warning) and test if this gets downloaded to the switch. I was able to save mine after ignoring the warning.

Frank Lothar Weber · ‎02-08-2017

Hi,

good call !!!

ISE saved it and it gets downloaded and applied by the switch when a client authenticates ....

Thx !!!