Downloadable ACLs on a FWSM

Unanswered Question
Nov 6th, 2006
User Badges:

I'd to have multiple ACLs downloaded to a FWSM from my ACS server (3.3) when an outside user logs in, triggered by http or ssl. To clarify, I'd like to have unique default acls applied to my inside and dmz interfaces when no one is logged in. When a specific user logs in I'd like to replace the default inside and dmz interface acls with new ones. These acls will also differ from each other as well.


If this is possible, is there any guarantee in which order the acls will be applied upon user login?


The goal is to create a lock-step process so that a dual homed machine is never able to access both its dmz and inside interfaces when an outside user is logged in. Hopes this makes some sort of sense.


thanks,


Peter

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
trmccart Tue, 11/07/2006 - 02:21
User Badges:
  • Cisco Employee,

Peter,

I've not done this on the FWSM; however, on the PIX/ASA the dACL's are only applied to the user's traffic. I have always had to use the per-user-override feature on the access-group command.


There are several software caveats associated with this feature on the FWSM. I would dig through bug navigator and release notes prior to testing in a lab environment.


Troy

phaddad Tue, 11/07/2006 - 09:15
User Badges:

Thanks Troy, I did see some alerts regarding ACS and DACL vulnerabilities, but I'll check on the FWSM explicitly, I hadn't done that yet. I could do this with 525's so the FWSM issues isn't a show stopper.


I assume that the firewall will download the group/user ACL to the interface that is referenced in the command:


aaa authentication match acl-name interface-name server-tag


So it seems that if I had multiple statements like the one above pointing to different interfaces the same user would download the same acl associated with him or his group. So if I wanted the ACLs to be different on each interface I'm SOL.


Could I have 2 different users download a different ACL to different i/f's?


If I had 2 different users download 2 different ACL's to the same i/f, how does the PIX deal with that?


thanks,


Peter

Actions

This Discussion