Downloadable ACL

Unanswered Question
Mar 26th, 2009
User Badges:

Hi, have requirements to setup a DACL on Cisco ACS that will prevent all type of traffic to a bunch of servers, located in different subnets. They all have common 4th octet address of .46

eg. 10.2.3.46, 10.45.2.46, 192.168.10.46... Hate to enter line by line for each and every server.

Would appreciate if someone suggest a correct combination of host ip and subnet mask that will prevent all type of access to servers in any subnet. Servers have common 4th octet of 46.

Thanks




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Thu, 03/26/2009 - 12:24
User Badges:
  • Blue, 1500 points or more

what device are you downloading acls to?



srue Fri, 03/27/2009 - 15:28
User Badges:
  • Blue, 1500 points or more

I'm not in my lab right now, but try creating your ACL with syntax like the following:

...permit/deny ip 0.0.0.46 0.0.0.255 any


...or however you wanted to. I don't remember if it's IOS or PIX/ASA , or both, that support this type of ACL, but it's worth a shot to see if it even accepts the ACE.

Dragan Milojevic Mon, 03/30/2009 - 09:45
User Badges:

To enable wildcard usage within ASA i had to enter the following:

aaa-server RADIUS_SERVER protocol radius

acl-netmask-convert wildcard

Then, i had to check every DACL and make sure this change will not have "weird" issues with existing DACLs. After testing and a bit of reconfiguration all works OK.

Thanks


Actions

This Discussion