DOWNLOADable ACL v/s PIX static ACL

aiftikhar · ‎11-19-2008

Hi all,

We have a setup of ACS 3.3 & PIX 515e that work using Virtual Telnet to PIX. The issue is that when a user logs into using Virtual Telnet his downloadable ACL from ACS overrides the static rules defined in the PIX firewall ie. the static rules in the PIX don't play any role in Virtual Telnet access.

Is there any way that when a user uses Virtual Telnet, all static PIX rules as well as downloadable ACL rules come into play?

Thanks for response in advance.

Arif

didyap · ‎11-26-2008

ACLs entered into the Cisco Secure ACS are protected by whatever backup or replication regime you have established for the Cisco Secure ACS. After you configure an ACL as a named shared profile component, you can include that ACL in any Cisco Secure ACS user, or user group, profile. When Cisco Secure ACS returns an attribute with a named ACL as part of a user session RADIUS access accept packet, the PIX Firewall applies that ACL to the session of that user. Cisco Secure ACS uses a versioning stamp to ensure that the PIX Firewall has cached the latest ACL version. If a PIX Firewall responds that it does not have the current version of the named ACL in its cache (that is, the ACL is new or has changed), Cisco Secure ACS uploads the ACL update to the PIX Firewall cache.

arififtikhar · ‎11-27-2008

Hi, thanks for your comprehensive response.

The question that is still remaining is if we could arrange precedence of static ACL rules in the PIX over downloadable IP ACL from ACS?

Regards.