Manage downloadable ACLs through snippets

Unanswered Question

Hi all,

we are a relatively large company, and we are in the process of deploying a Cisco VPN solution based on ASA and ACS 5.1.

Our biggest problem at the moment is the management of downloadable ACLs. Technically it was no big deal to get that to work, but our company requirements in terms of limited network access will cause us to have more than 100 different downloadable ACLs that are of course overlapping.

My idea now was to organize them in snippets (like e.g you have a snippet to access the corporate email system, a snippet for ERP etc) and to create the ACLs from those snippets that will be stored in a database.

Has anybody done that yet, or is there any product that can do that?

All input  will be highly appreciated...



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
fadlouni Thu, 10/14/2010 - 08:27
User Badges:
  • Bronze, 100 points or more

Hi Drik.

Maybe this is what you want, you should try it?:

On the ASA define your object-groups (these can be hosts/networks/ports etc..), then on the ACS reference that object-group in your acl.


on ASA side:

Object-group network mygroup

On the LDAP or RADIUS server in the user/group profile define:
"ip:inacl#=permit ip any object-group mygroup"

I hope this achieves what you want.



jan.nielsen Fri, 10/15/2010 - 17:43
User Badges:
  • Gold, 750 points or more

Unfortunately, ACS 5.1 can only serve a static acl, not a combined acl derived from ex. multiple Active Directory groups, which is what i think you are looking for. This can be done on the ASA with DAPs, but all acl's will be on the ASA, not the ACS. Cisco say this might be coming to the next version of ACS.


This Discussion

Related Content