Yeah... Recreated the same conditions with downloadable ACL. Once the user successfully authenticated via ASA CTP then all ACE stopped existing for the host the authenticated user was coming from and got replaced by lines pushed by ACS. I was not so thorough last time and didn't pay attention at what I had in the interface ACL.
Eugene From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, August 13, 2012 9:24 PM To: Karthik sagar Cc: ccie security Subject: Re: [OSL | CCIE_Security] Issue with ASA - CTP with downloadable ACLs The downloaded ACL supersedes the existing ACL provided you use "per-user-override" keyword. With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Mon, Aug 13, 2012 at 10:24 PM, Karthik sagar <[email protected]<mailto:[email protected]>> wrote: When we have downloadable ACLs with CTP, doe the ASA merge the downloaded ACL with existing interface ACL or is it evaluated separately? My interface ACL : ASA1# show run access-list access-list ACLoutside extended permit icmp host 10.0.0.100 any access-list ACLoutside extended permit tcp any host 10.0.0.10 eq 443 access-list ACLoutside extended permit tcp any host 10.0.0.100 access-list ACLoutside extended permit tcp any any eq telnet I downloaded this ACL from ACS access-list #ACSACL#-IP-permittelneticmp-50292018; 2 elements (dynamic) access-list #ACSACL#-IP-permittelneticmp-50292018 line 1 extended permit icmp any any (hitcnt=0) 0xb3fbb06b access-list #ACSACL#-IP-permittelneticmp-50292018 line 2 extended permit tcp any any eq telnet (hitcnt=1) 0x60818a28 Now, my https traffic to 10.0.0.10 would not pass through unless i cleared uauth . Regards, Karthik _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
