10-08-2023 09:37 AM
Hi,
i've an FPR1140 cluster up and running, which was installed and configured by a former service provider. I need to add some networks to the default/standard VPN-ACL which is used by most of our employees. The navigation under "Objects -> Access List -> Extended" is completely empty (see screenshot).
The cli instead shows the current policy which needs to be modified. Where can i add an additional entry to this acl to permit access to a new network on our site? (I've replaced some IPs/networks for security reasons).
> show access-list | grep vpn
access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49; 8 elements; name hash: 0x8b430b4d (dynamic)
access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 1 extended permit udp any4 host 1.1.1.1 eq domain (hitcnt=40344) 0xc119c88e
access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 2 extended permit ip any4 192.168.1.0 255.255.255.0 (hitcnt=994) 0x5d410ef2
access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 3 extended permit ip any4 192.168.2.0 255.255.255.0 (hitcnt=9197) 0x0ee616d8
[... add. rules here ...]
access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 8 extended deny ip any4 any4 (hitcnt=26451) 0x18154f61
Thanks
oetti
Solved! Go to Solution.
10-08-2023 11:37 AM
@oetti the DACL is deployed from ISE. Modify the DACL referenced in the authorisation profile - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html
10-08-2023 10:45 AM
@oetti #ACSACL# implies a Downloadable ACL (DACL) has been applied, do you authenticate the users via RADIUS (ISE or ACS)? If so amend the DACL there.
10-08-2023 11:33 AM
As far as i know, ISE (AD-auth) is used for authentification. Do i need to change DACL in ISE or FMC?
10-08-2023 11:37 AM
@oetti the DACL is deployed from ISE. Modify the DACL referenced in the authorisation profile - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212419-configure-per-user-dynamic-access-contro.html
10-09-2023 01:58 AM
Thanks Rob.
I've changed the DACL content in ISE and it works as expected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide