Too many dynamic access polices

Unanswered Question

Hi All,

Need you guys advise on this. I have multiple ASA firewalls in Asia region to provide SSL-VPN (Clientless-VPN) access to corporate network. Example, Hong Kong and Singapore.When users in Singapore travelled to HongKong, they cant use the SSL-Url hosted there because even though the login is successful, the DAP of bookmarks are not configured in HK firewalls. So these users have no choice but to SSL-VPN back to Singapore firewalls, but this is ineffiecient and slow.

My question will be as follow:

1) can i export the DAP on Singapore firewalls and Import to Hong kong firewalls? Vice-versa

2) can i export the bookmarks on Singapore firewalls and Import to Hong kong firewalls? Vice-versa

3) due to number of users, i have too many DAP configure on each firewalls to match their cisco-userid to respective bookmark. Can i use something like variable? so that 1 DAP will be sufficient. I need the DAP to be able to capture the username keyed in by user and matched that against a bookmark configured with same username


cisco.username =%uname


Any help will be much appreciated.Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ksirupa Mon, 03/15/2010 - 11:47


We don't have an easy method to display a bookmark list based on username.

However, you can create one master bookmark list which has many different individual bookmarks each including a variable "CSCO_WEBVPN_USERNAME".


cifs:// etc..

When you do this, the ASA will replace the macro CSCO_WEBVPN_USERNAME with session username.

So, if user "john" logs in, they will see two bookmarks:, cifs://

One other alternative is to use LDAP attribute maps instead of DAP. If you have an LDAP Database or Active Directory that has all the usernames, you can use the

LDAP attribute map feature which maps a particular LDAP attribute (say cn or username) to the Cisco Attribute WebVPN-URL-List.

See an example below:

One caveat is that URL-List setting in DAP and LDAP attribute map are mutually exclusive. So, you shouldn't apply URL-List in DAP anymore.



ksirupa Mon, 03/15/2010 - 19:08

My apologies, ASDM has an option to backup/restore the configurations. You can find it under "Tools". When you back-up, you only select DAP and CSD policies. Everything else should be un-checked. Then, you can save it as zip file and restore it on the other ASA. If you need automatic sync-up and push of DAP, we will need to use CSM for that.


thanks for that. Last question, when you mean Back up from firewall A of those DAP and CSD policies and restore it on firewall B. Can i do it during production hours and not impact on operations? So if there's a case where firewall A has a DAP policy of XX and firewall b has a policy of YY. If i backup A config and restore on B, will YY be overwritten or it will merge? end result with XX and YY

Pardon me, can you provide me the full term of these?

DAP: dynamic access polices

CSD: cisco secure desktop?

CSM: ??

ksirupa Mon, 03/15/2010 - 19:26

If the DAP records have two different names, then the restore on Firewall-B will add to the existing DAPs (so XX and YY). If they are same, I am not very sure whether it will overwrite or merge. I will have to test.

CSM - Cisco Security Manager - Helps you configure multiple security devices (Firewall, router, switch, IDS, IPS, MARS etc) from one unified policy interface. Also supports checkpoint and rollover, multi-device config replication and push etc.

DAP - Dynamic Access Policy

CSD - Cisco Secure Desktop.

ksirupa Thu, 03/18/2010 - 01:23

Bookmarks are known as "URL-Lists". They may show up under "webcontents" as well depending on the ASDM version.


This Discussion