cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2284
Views
0
Helpful
2
Replies
Highlighted
Beginner

DACL format fo cisco ISE&ACS

Hi, could anyone direct me where can I fine DACL format fo cisco ISE?

Bacause when I use simple ACL like

permit tcp any 10.8.26.0 0.0.0.255 eq 3389

My ASA says in log:

Unable to install ACL '#ACSACL#-IP-standart_vpn-50fa79e7', downloaded for user krasnoperov_as; Error in ACE: 'permit tcp any 10.8.26.0 0.0.0.255 eq 3389'

But when I use

permit tcp any host 10.8.26.1 eq 3389

It Install it corrctly, why it happens?

thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi,

Because that is not correct extended access-list for ASA (bad mask), example:

ciscoasa(config)# access-list test extended permit tcp any 10.8.26.0 0.0.0.255 eq 3389

ERROR: IP address,mask <10.8.26.0,0.0.0.255> doesn't pair

You need to type correct extended ACL without "access-list name extended".

This should work fine:

ciscoasa(config)# access-list test extended permit tcp any 10.8.26.0 255.255.255.0 eq 3389

Remember about wildcard/netmask - it's not a router

More info with examples:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_fwaaa.html#wp1150860

---

Michal

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Hi,

Because that is not correct extended access-list for ASA (bad mask), example:

ciscoasa(config)# access-list test extended permit tcp any 10.8.26.0 0.0.0.255 eq 3389

ERROR: IP address,mask <10.8.26.0,0.0.0.255> doesn't pair

You need to type correct extended ACL without "access-list name extended".

This should work fine:

ciscoasa(config)# access-list test extended permit tcp any 10.8.26.0 255.255.255.0 eq 3389

Remember about wildcard/netmask - it's not a router

More info with examples:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_fwaaa.html#wp1150860

---

Michal

View solution in original post

Highlighted

thanks, I fogot about ACL format for ASA, just because of ASDM using day-by-day

Content for Community-Ad