Is there a way to name an access-list from the Cisco Security Manager interface? I need to define and use a named access-list (not automatically generated names) for use on the remote vpn client connections.
This is what I need.
1. Create a named access list on the ASA, e.g., acl name "laptop_group" using CSM.
2. In my ACS authentication server, I define a user/group which users in this group receive the "laptop_group" ACL via radius attributes. So the laptop_group acl must exist on the ASA.
Note, I am able to created named Access Control Lists in CSM via the Policy Object Manager and I can use these if I manage my Remote Access VPN internally but I am using ACS and need to manage my the VPNs externally.
I have created a ticket with the TAC and apparently what I am trying to do is impossible in CSM.
All I need to do is be able to create a named access-list on the ASA from the CSM interface. I do not want the ACL associated with an interface or anything, I just need the ACL to exist on the ASA. I want to be able to manage my object-groups and the ACL from CSM, it is as simple as that, but CSM cannot do this.
The purpose of the ACL is for VPN clients. I create groups of users on our Radius server, Cisco ACS, and these groups have an access-list associated with them. When the VPN client connects, the user authenticates against ACS radius server and it replies back with the access-list to use. This access-list is the one that exists on the ASA that I need. This ACL gets applied to the VPN connection and is the control point for the VPN users.
1. Yes, I have changed the "Remove unreference ACL" feature but that still requires me to manage ACL from command line, which is probably what I will end up doing since there is no way to manage this type of ACL from CSM.
2. I do have a VPN created on the device and I do have RA enabled but the problem lies in that this is a "External Server" managed Group Policy. If I use the "On Device" group policy then I can easily manage and apply an ACL to the RA VPN but that is not very scalable for a large number of VPN accounts. I need to be able to manage the users and VPN policy via the Cisco ACS server.
I have spoke with TAC and they say that CSM does not support this and that I will have to manage my ACLs via CLI like you suggested. At this time and version, I do not believe there is anything else that I can do.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...