cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
833
Views
2
Helpful
4
Replies

Find Extended ACLs in FMC

oetti
Level 1
Level 1

Hi,

i've an FPR1140 cluster up and running, which was installed and configured by a former service provider. I need to add some networks to  the default/standard VPN-ACL which is used by most of our employees. The navigation under "Objects -> Access List -> Extended" is completely empty (see screenshot).

fmc.PNG

The cli instead shows the current policy which needs to be modified. Where can i add an additional entry to this acl to permit access to a new network on our site? (I've replaced some IPs/networks for security reasons).

 

 

 

> show access-list | grep vpn
access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49; 8 elements; name hash: 0x8b430b4d (dynamic)
access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 1 extended permit udp any4 host 1.1.1.1 eq domain (hitcnt=40344) 0xc119c88e
access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 2 extended permit ip any4 192.168.1.0 255.255.255.0 (hitcnt=994) 0x5d410ef2
access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 3 extended permit ip any4 192.168.2.0 255.255.255.0 (hitcnt=9197) 0x0ee616d8

[... add. rules here ...]

access-list #ACSACL#-IP-acl_standard_vpn_group-6478be49 line 8 extended deny ip any4 any4 (hitcnt=26451) 0x18154f61

 

 

Thanks

oetti

 

1 Accepted Solution
4 Replies 4

@oetti #ACSACL# implies a Downloadable ACL (DACL) has been applied, do you authenticate the users via RADIUS (ISE or ACS)? If so amend the DACL there.

 

As far as i know, ISE (AD-auth) is used for authentification. Do i need to change DACL in ISE or FMC?

Thanks Rob.

I've changed the DACL content in ISE and it works as expected.

Review Cisco Networking for a $25 gift card