CSM with user defined named access-list

Unanswered Question
Jul 30th, 2007

Is there a way to name an access-list from the Cisco Security Manager interface? I need to define and use a named access-list (not automatically generated names) for use on the remote vpn client connections.

This is what I need.

1. Create a named access list on the ASA, e.g., acl name "laptop_group" using CSM.

2. In my ACS authentication server, I define a user/group which users in this group receive the "laptop_group" ACL via radius attributes. So the laptop_group acl must exist on the ASA.

Note, I am able to created named Access Control Lists in CSM via the Policy Object Manager and I can use these if I manage my Remote Access VPN internally but I am using ACS and need to manage my the VPNs externally.

thank you,

tony

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dradhika Sun, 08/19/2007 - 08:43

Hi Tony,

I am not sure if I understood your problem correctly.

Is the problem that CSM generates Access-lists with name "CSM_xxx" and you want it to be generated as laptop_group?

Thanks,

Radhika

webstert Mon, 08/20/2007 - 09:38

I have created a ticket with the TAC and apparently what I am trying to do is impossible in CSM.

All I need to do is be able to create a named access-list on the ASA from the CSM interface. I do not want the ACL associated with an interface or anything, I just need the ACL to exist on the ASA. I want to be able to manage my object-groups and the ACL from CSM, it is as simple as that, but CSM cannot do this.

The purpose of the ACL is for VPN clients. I create groups of users on our Radius server, Cisco ACS, and these groups have an access-list associated with them. When the VPN client connects, the user authenticates against ACS radius server and it replies back with the access-list to use. This access-list is the one that exists on the ASA that I need. This ACL gets applied to the VPN connection and is the control point for the VPN users.

Suggestions?

thanks,

tony

dradhika Tue, 08/21/2007 - 08:52

Hi Tony,

If you just want the Acl to exist on the device even after deploy followed by discovery then there is an option in Admin Settings -> Deployment page.

There will be a check box for "Remove unreference Acl.." and "Remove Unreferenced object groups ..".

Just uncheck them. Then the acl will not be removed during deployment.

What about creating vpn with this device or enabling RA on the device?

webstert Tue, 08/21/2007 - 09:30

1. Yes, I have changed the "Remove unreference ACL" feature but that still requires me to manage ACL from command line, which is probably what I will end up doing since there is no way to manage this type of ACL from CSM.

2. I do have a VPN created on the device and I do have RA enabled but the problem lies in that this is a "External Server" managed Group Policy. If I use the "On Device" group policy then I can easily manage and apply an ACL to the RA VPN but that is not very scalable for a large number of VPN accounts. I need to be able to manage the users and VPN policy via the Cisco ACS server.

I have spoke with TAC and they say that CSM does not support this and that I will have to manage my ACLs via CLI like you suggested. At this time and version, I do not believe there is anything else that I can do.

thanks for the assistance,

tony

Actions

This Discussion