11-19-2008 06:54 PM - edited 03-10-2019 04:11 PM
Hi all,
We have a setup of ACS 3.3 & PIX 515e that work using Virtual Telnet to PIX. The issue is that when a user logs into using Virtual Telnet his downloadable ACL from ACS overrides the static rules defined in the PIX firewall ie. the static rules in the PIX don't play any role in Virtual Telnet access.
Is there any way that when a user uses Virtual Telnet, all static PIX rules as well as downloadable ACL rules come into play?
Thanks for response in advance.
Arif
11-26-2008 01:54 PM
ACLs entered into the Cisco Secure ACS are protected by whatever backup or replication regime you have established for the Cisco Secure ACS. After you configure an ACL as a named shared profile component, you can include that ACL in any Cisco Secure ACS user, or user group, profile. When Cisco Secure ACS returns an attribute with a named ACL as part of a user session RADIUS access accept packet, the PIX Firewall applies that ACL to the session of that user. Cisco Secure ACS uses a versioning stamp to ensure that the PIX Firewall has cached the latest ACL version. If a PIX Firewall responds that it does not have the current version of the named ACL in its cache (that is, the ACL is new or has changed), Cisco Secure ACS uploads the ACL update to the PIX Firewall cache.
11-27-2008 04:03 PM
Hi, thanks for your comprehensive response.
The question that is still remaining is if we could arrange precedence of static ACL rules in the PIX over downloadable IP ACL from ACS?
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide