Eugene,
No, the interface ACLoutside counter did not increase. I did not have aaa
authorization as i was using radius. Radius authorization is not supported
as radius combines authentication and authorization.
ASA(config)# aaa authorization match ACLctp outside RADIUS
Authorization is not supported in RADIUS
Usage: [no] aaa mac-exempt match <mac-list-id>
[no] aaa authentication secure-http-client
[no] aaa authentication listener http|https <if_name> [port <port>]
[redirect]
[no] aaa authentication|authorization|accounting include|exclude
<svc>
<if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>
Mike,
Yes, i had the per-user-override keyword.
My earlier suspicion was true. With "per-user-override" - interface ACL is
ignored. Without the keyword , traffic should be allowed by both ACLs, not
just the user specific-one.
Here is a note from cisco doc -
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html#wp1043588
*Note If you have used the access-group command to apply access lists to
interfaces, be aware of the following effects of the per-user-override
keyword on authorization by user-specific access lists:
•Without the per-user-override keyword, traffic for a user session must be
permitted by both the interface access list and the user-specific access
list.
•With the per-user-override keyword, the user-specific access list
determines what is permitted.*
Thank you all :-)
Karthik
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
