Re: About downloadable ACL on ASA5520

beyond_ccies · ‎05-17-2006

I have set a user with downloadable ACL on AAA server(ACS4.0 for Windows).On ASA5520,I have enable WebVPN on outside interface,and authentication method is AAA.

When I login in ASA5520 through WebVPN,it(downloadable ACL)didn't work.Please help me!!!

a.kiprawih · ‎05-17-2006

Hi,

Just a quick check, does your Downloadable ACL configured under AAA-Radius for authentication?

Rgds,

AK

Rutger Blom · ‎05-21-2006

I have the same problem with downloadable ACLs and SSL VPN on a VPN 3000 concentrator. The ACLs are on a ACS4, but somehow it doesnt work.

Rutger

darpotter · ‎05-22-2006

Does the VPN3K even support downloadable ACLs?

Originally it was just PIX. Some IOS routers were enabled for NAC support - but the early implementation didnt support fragmentation (ie for ACLs larger than 4K)

Then there was a secutity vulnerability discovered in the DACL exchange. The fix for that made the new version incompatible with the previous one. So IOS/PIXOS needed updating.

Im not sure of the exact dates/versions - best check with the TAC.

Darran

a.kiprawih · ‎05-22-2006

VPN3K does not have/support DACL.

Rgds,

AK

Rutger Blom · ‎05-22-2006

DACL with VPN3K works fine with IPSec connections, but not with SSL VPN. I know because we use it this way. The DACLs are on the ACS server.

Rutger

mbilgrav · ‎06-08-2006

Downloadalbe ACL from ACS to VPN3000 works just fine.

Allthough I have just reported a major flaw in the new code to VPN3030.

thomam04 · ‎08-30-2006

Same problem here. Downloadable ACLs work fine for SSL/IKE VPN sessions but not for WebVPN sessions.

Anybody opened a TAC case or know a workaround?

Thanks!

-Markus

Rutger Blom · ‎08-30-2006

Wait a minute, it works for you with SSL VPN? For us it doesn't. Only with IKE

Rutger