This is clear.
Based on this documentation:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference-convert/A-H/cmdref1/a2.html
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/firewall/asa-910-firewall-config/access-acls.html
Additional Guidelines
-
When you specify a network mask, the method is different from the Cisco IOS software access-list command. The ASA uses a network mask (for example, 255.255.255.0 for a Class C mask). The Cisco IOS mask uses wildcard bits (for example, 0.0.0.255).
So for switch/wlc you should write down dACL in ISE with wildcard on your mind, but what about ASA in this case ?
So am I right if I said it has different result when I use the same dACL in one case for:
- with switch/wlc
and
on another case for ASA/FTD ?
For example in case I need to allow comunication from any to X.Y.0.0/16.
I should solve it like this:
permit ip any X.Y.0.0 0.0.255.255 syntax for dacl used in authz prof for switch/wlc.
but I should use different dACL syntax for ASA/FTD:
permit ip any X.Y.0.0 255.255.0.0 syntax for dacl used in authz prof for asa/ftd.
or
I could use the same dACL for switch/wlc, but than I have to use acl-netmask-convert in AAA radius server group in ASA/FTD either with auto-detect or wildcard.
I assume using dACL with wildcard syntax needed for switch/wlc in case with ASA breaks thinks with error something like this.
ERROR: IP address,mask <X.Y.0.0,0.0.255.255> doesn't pair
Am I right ?
acl-netmask-convert
To specify how the ASA treats netmasks received in a downloadable ACL from a RADIUS server that is accessed by using the aaa-server host command, use the acl-netmask-convert command in aaa-server host configuration mode. To remove the specified behavior for the ASA, use the no form of this command.
acl-netmask-convert { auto-detect | standard | wildcard }
no acl-netmask-convert
Syntax Description
|
auto-detect
|
Specifies that the ASA should attempt to determine the type of netmask expression used. If the ASA detects a wildcard netmask expression, it converts it to a standard netmask expression. See “Usage Guidelines” for more information about this keyword.
|
|
standard
|
Specifies that the ASA assumes downloadable ACLs received from the RADIUS server contain only standard netmask expressions. No translation from wildcard netmask expressions is performed.
|
|
wildcard
|
Specifies that the ASA assumes downloadable ACLs received from the RADIUS server contain only wildcard netmask expressions and converts them all to standard netmask expressions when the ACLs are downloaded.
|
Defaults
By default, no conversion from wildcard netmask expressions is performed.
Usage Guidelines
Use the acl-netmask-convert command with the wildcard or auto-detect keywords when a RADIUS server provides downloadable ACLs that contain netmasks in wildcard format. The ASA expects downloadable ACLs to contain standard netmask expressions whereas Cisco VPN 3000 series concentrators expect downloadable ACLs to contain wildcard netmask expressions, which are the reverse of a standard netmas expression. A wildcard mask has ones in bit positions to ignore, zeros in bit positions to match.The acl-netmask-convert command helps minimize the effects of these differences upon how you configure downloadable ACLs on your RADIUS servers.
The auto-detect keyword is helpful when you are uncertain how the RADIUS server is configured; however, wildcard netmask expressions with “holes” in them cannot be unambiguously detected and converted. For example, the wildcard netmask 0.0.255.0 permits anything in the third octet and can be used validly on Cisco VPN 3000 series concentrators, but the ASA may not detect this expression as a wildcard netmask.
