Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1359
Views
0
Helpful
0
Comments

How to add more downloadable IP ACLs to Cisco Secure access control server once it reaches maximum limit

TCC_2
Level 10
Level 10

‎06-17-2009 10:20 PM - edited ‎02-21-2020 09:54 PM

Resolution

The workaround to add more downloadable access control lists (ACLs) on the Cisco Secure access control server (ACS) is to use the object-group command. Refer to the example below:

Configuration on the PIX/ASA:

name 192.6.x.x HOST_SERVER

object-group service SVC_GROUP tcp
port-object eq 12006
port-object eq 12031
port-object eq 12915

object-group network HOST_GROUP
network-object host 192.7.x.x
network-object host 192.8.x.x
network-object host 192.9.x.x
network-object host 192.5.x.x
network-object host 192.4.x.x
network-object host 192.3.x.x
network-object host HOST_SERVER

This is the configuration for Downloadable IP ACLs:

permit tcp any object-group HOST_GROUP object-group SVC_GROUP

The previous ACL can be used to sum up the ACLs in the Downloadable IP ACLs section in order to not cross the limit of 32 KB.

Refer to the Downloadable IP ACLs section of Shared Profile Components for more information.

Features & Tasks

Access lists

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents