question about downloadable ACLs

Unanswered Question
Nov 9th, 2009
User Badges:

When using downloadable ACLs it is my understanding that you specify a source address of "any" to represent the IP of the host authenticating to the FW. Is this true?


Assuming this is true, what would happen if you specified a host address in the downloadable ACL as opposed to using "any"? Would it then enforce that ACL? So I could maybe authenticate to the firewall as "BackupAdmin" and have it download an ACL which allows Server A to connect to the backup server? Even if I was authenticating from say, my workstation?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ivan Martinon Wed, 12/02/2009 - 09:40
User Badges:
  • Cisco Employee,

When using downloadable ACLs it is my understanding that you specify a source address of "any" to represent the IP of the host authenticating to the FW.  Is this true?


- True, unless you bound the DACL to the user and that user always use a static ip address.



Assuming this is true, what would happen if you specified a host address in the downloadable ACL as opposed to using "any"?  Would it then enforce that ACL?


- The DACL will always be enforced whether you use any or host ip address, however if the ip address used as source does not match the DACL then it will always deny traffic.


Don't Follow the one below:

So I could maybe authenticate to the firewall as "BackupAdmin" and have it download an ACL which allows Server A to connect to the backup server?  Even if I was authenticating from say, my workstation?


What do you mean with that?

slug420 Wed, 12/02/2009 - 13:18
User Badges:

I am thinking (based on your response) that what I want to do is not possible.....


The fundamental functionality of a DACL is a user has limited access, they hit the firewall, authenticate, and a new set of rules is applied which allows new access.


The intention of this (and possibly the only way it works) is for my workstation to have no access, my workstation to authenticate, and my workstation to have additional access.  What I was inquiring about is the ability for a DACL to impact an unrelated system.


so for example, my workstation has full access to everythng, but Server A cannot talk to Server B.  Could I hit the firewall from my workstation, authenticate, and download an ACL that allows server A to then communicate with server B?

Ivan Martinon Wed, 12/02/2009 - 13:27
User Badges:
  • Cisco Employee,

I don't think that works that way since the DACL is downloaded per session, it has an identifier that applies only for the user that authenticates.

Actions

This Discussion