cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
994
Views
0
Helpful
2
Replies
Beginner

Manage downloadable ACLs through snippets

Hi all,

we are a relatively large company, and we are in the process of deploying a Cisco VPN solution based on ASA and ACS 5.1.

Our biggest problem at the moment is the management of downloadable ACLs. Technically it was no big deal to get that to work, but our company requirements in terms of limited network access will cause us to have more than 100 different downloadable ACLs that are of course overlapping.

My idea now was to organize them in snippets (like e.g you have a snippet to access the corporate email system, a snippet for ERP etc) and to create the ACLs from those snippets that will be stored in a database.

Has anybody done that yet, or is there any product that can do that?

All input  will be highly appreciated...

Thanks,

Dirk

Everyone's tags (4)
2 REPLIES 2
Highlighted
Beginner

Re: Manage downloadable ACLs through snippets

Hi Drik.

Maybe this is what you want, you should try it?:

On the ASA define your object-groups (these can be hosts/networks/ports etc..), then on the ACS reference that object-group in your acl.

-Example:

on ASA side:

Object-group network mygroup
       Network-object 10.1.1.1 255.255.255.0
       Network-object 20.1.1.1 255.255.255.0


On the LDAP or RADIUS server in the user/group profile define:
"ip:inacl#=permit ip any object-group mygroup"

I hope this achieves what you want.

Regards,

Fadi.

Highlighted
Rising star

Re: Manage downloadable ACLs through snippets

Unfortunately, ACS 5.1 can only serve a static acl, not a combined acl derived from ex. multiple Active Directory groups, which is what i think you are looking for. This can be done on the ASA with DAPs, but all acl's will be on the ASA, not the ACS. Cisco say this might be coming to the next version of ACS.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here