Hi Karthik, Do you have hit counters on your ACLoutside for https traffic ? What are your aaa authorization statements on ASA?
Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Karthik sagar Sent: Monday, August 13, 2012 9:55 AM To: ccie security Subject: [OSL | CCIE_Security] Issue with ASA - CTP with downloadable ACLs When we have downloadable ACLs with CTP, doe the ASA merge the downloaded ACL with existing interface ACL or is it evaluated separately? My interface ACL : ASA1# show run access-list access-list ACLoutside extended permit icmp host 10.0.0.100 any access-list ACLoutside extended permit tcp any host 10.0.0.10 eq 443 access-list ACLoutside extended permit tcp any host 10.0.0.100 access-list ACLoutside extended permit tcp any any eq telnet I downloaded this ACL from ACS access-list #ACSACL#-IP-permittelneticmp-50292018; 2 elements (dynamic) access-list #ACSACL#-IP-permittelneticmp-50292018 line 1 extended permit icmp any any (hitcnt=0) 0xb3fbb06b access-list #ACSACL#-IP-permittelneticmp-50292018 line 2 extended permit tcp any any eq telnet (hitcnt=1) 0x60818a28 Now, my https traffic to 10.0.0.10 would not pass through unless i cleared uauth . Regards, Karthik
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
