we are a relatively large company, and we are in the process of deploying a Cisco VPN solution based on ASA and ACS 5.1.
Our biggest problem at the moment is the management of downloadable ACLs. Technically it was no big deal to get that to work, but our company requirements in terms of limited network access will cause us to have more than 100 different downloadable ACLs that are of course overlapping.
My idea now was to organize them in snippets (like e.g you have a snippet to access the corporate email system, a snippet for ERP etc) and to create the ACLs from those snippets that will be stored in a database.
Has anybody done that yet, or is there any product that can do that?
All input will be highly appreciated...
Maybe this is what you want, you should try it?:
On the ASA define your object-groups (these can be hosts/networks/ports etc..), then on the ACS reference that object-group in your acl.
on ASA side:
Object-group network mygroup Network-object 10.1.1.1 255.255.255.0 Network-object 188.8.131.52 255.255.255.0 On the LDAP or RADIUS server in the user/group profile define:
"ip:inacl#=permit ip any object-group mygroup"
I hope this achieves what you want.
Unfortunately, ACS 5.1 can only serve a static acl, not a combined acl derived from ex. multiple Active Directory groups, which is what i think you are looking for. This can be done on the ASA with DAPs, but all acl's will be on the ASA, not the ACS. Cisco say this might be coming to the next version of ACS.