Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Downloadable ACL's on Multiple Firewalls


We have ASA in our network and it's configured as VPN gateway, ACS server is configured for users authentication and authorization.

Now the VPN user will try to connect to the network he will be authenticated through RADUES on ACS, then the downloadable Access-list will be pushed to ASA to control the users traffic.

Until here everything is working fine without any issue, but after accessing the network, we have internally FWSM to protect some segments, so the user will stop here. The current solution for this is to assign static IP for each VPN user and configure an access list on FWSM, which more manual process and time consume.

Is there any way to configure the downloadable ACL to be pushed to ASA and FWSM ?? In one time. or please advice on alternative solution for this scenario

Many thanks for your support.


Re: Downloadable ACL's on Multiple Firewalls

Yes, you can use downloadable access-lists. For more information kindly refer the url,

New Member

Re: Downloadable ACL's on Multiple Firewalls


Thanks for your reply

I went through the NAC document but, I could not find the solution of my requirements.

Would please explain more how can I employ NAC ?



Re: Downloadable ACL's on Multiple Firewalls

With ACS v4.0 there's no reason why you cant define a NAP for both ASA and FWSM. I assume the FWSM is capable of authenticating via RADIUS too?

You can (if you need to) have quite seperate authentication & authorisation policies in each NAP (including DACLS) or identical - up to you.

Not sure you need full blown NAC from your original post. NAPs are just something that NAC uses to handle multiple network services for a single user.


CreatePlease login to create content