Downloadable ACL's on Multiple Firewalls

aalshammari · ‎02-21-2007

Dears

We have ASA in our network and it's configured as VPN gateway, ACS server is configured for users authentication and authorization.

Now the VPN user will try to connect to the network he will be authenticated through RADUES on ACS, then the downloadable Access-list will be pushed to ASA to control the users traffic.

Until here everything is working fine without any issue, but after accessing the network, we have internally FWSM to protect some segments, so the user will stop here. The current solution for this is to assign static IP for each VPN user and configure an access list on FWSM, which more manual process and time consume.

Is there any way to configure the downloadable ACL to be pushed to ASA and FWSM ?? In one time. or please advice on alternative solution for this scenario

Many thanks for your support.

Vivek Santuka · ‎02-22-2007

Hi,

We cannot push the ACLs to the ASA and the FWSM together.

One solution which comes to mind is to add cut-through authentication/virtual http/telnet on the FWSM.

The down side is ofcourse repeated authentication at different levels.

Regards,

Vivek

aalshammari · ‎02-22-2007

Thanks vsantuka for your reply

I have tried this solution before, but it's not an effective solution as we have multiple security contexts on the FWSM which require virtual telnet / http on each one. Which result more complexity, and repainting of authentication / authorization process