I have a ISE DACL Over ASA VPN deployment. There are many DACLs that are assigned to users with a certain AD group membership when they hit our ASA via SSL VPN. How can I see a dACL on ASA CLI if a user is not connected? In the "show access-list" output looks like there are only entrys with dACL that are currently used.
I want to see what dACL are deployed and also the hitcounts.
The dACLs will be pushed during the users authorization process, which means they won't exist on the firewall until the user is authenticated and authorized. Once the user is authenticated and authorized you can verify what dACL has been pushed to that session by using the traditional command "show vpn-sessiondb detail anyconnect", you can filter the command to look at a specific user if needed. The dACL will show up in the "Filter Name" field. To see the content of that dACL you can use the command "show access-list <the exact name you see with the previous command>". Also, please remember that the dACLs will be vanished once the interested sessions are torn down.
The dACLs will be pushed during the users authorization process, which means they won't exist on the firewall until the user is authenticated and authorized. Once the user is authenticated and authorized you can verify what dACL has been pushed to that session by using the traditional command "show vpn-sessiondb detail anyconnect", you can filter the command to look at a specific user if needed. The dACL will show up in the "Filter Name" field. To see the content of that dACL you can use the command "show access-list <the exact name you see with the previous command>". Also, please remember that the dACLs will be vanished once the interested sessions are torn down.
