Urgent: how to avoid automatically generate dynamic ACLs?

Unanswered Question
Aug 15th, 2007
User Badges:

PIX501 v6.3(3)is configured as Easy VPN client and authentication is done on

ACS server.

Downloadable ACL is applied to this vpn h/w client after the VPN connection

is established (shown in blue colour in the sh access-list output).

However, the are 2 dynamic ACL applied to the same connection which

override the downloadable ACL as defined in the ACS server for this VPN


Question: How to get rid of the 2 dynamic ACLs as shown below?

access-list dynacl128; 1 elements

access-list dynacl128 line 1 permit ip any host (hitcnt=0)

access-list dynacl129; 1 elements

access-list dynacl129 line 1 permit ip any FBP_Staging (hitcnt=1)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tstanik Tue, 08/21/2007 - 12:46
User Badges:
  • Bronze, 100 points or more

I think it is not possible to avoid automatically generated dynamic ACLs, you may have to use some other interface for this or configure PIX with proper VPN configuration for client.

eric.huihk Tue, 08/21/2007 - 18:41
User Badges:

Thanks for your reply.

You suggest to use other interface, do these other interfaces can avoid to generate dynamic ACLs? Which interfaces should be used? Please advise.


This Discussion