Resolution

The workaround to add more downloadable access control lists (ACLs) on the Cisco Secure access control server (ACS) is to use the object-group command. Refer to the example below:

Configuration on the PIX/ASA:

name 192.6.x.x HOST_SERVER

object-group service SVC_GROUP tcp
port-object eq 12006
port-object eq 12031
port-object eq 12915

object-group network HOST_GROUP
network-object host 192.7.x.x
network-object host 192.8.x.x
network-object host 192.9.x.x
network-object host 192.5.x.x
network-object host 192.4.x.x
network-object host 192.3.x.x
network-object host HOST_SERVER

This is the configuration for Downloadable IP ACLs:

permit tcp any object-group HOST_GROUP object-group SVC_GROUP

The previous ACL can be used to sum up the ACLs in the Downloadable IP ACLs section in order to not cross the limit of 32 KB.

Refer to the Downloadable IP ACLs section of Shared Profile Components for more information.

Features & Tasks

Access lists