Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Downloadable ACL


I have configured a downloadable PIX access-list with ACS 3.1 and PIX 6.3 using Radius attributes. It is working, but it uses ANY as the source for ACL. I would like to have instead of ANY just HOST IP address. Host IP address is allocated it from the pool defined on PIX, so it is not known and I cannot put it in ACL on ACS server manually.

I saw sometime ago that it is possible, but I cannot find now how to configure it.

Appreciate a lot your input. Thanks

Cisco Employee

Re: Downloadable ACL

The ACL is always entered as "any" in ACS, and that's how it looks when it's downloaded to the PIX. However, this downloadable ACL is applied per user, and each user is mapped to one IP address, so in effect even though teh ACL says "any", it's always only applied to that one IP address where the user authenticated from.

A "sho uauth" command will explain what users/IP address are authorized to do what.

I guess if you knew one user was always going to authenticate from the same internal IP address, you could apply a PIX downloadable ACL with that IP address as the source, but it's really not necessary. Don't think the ACL is applied to the inside interface, it's not, it's applied to that users session and only that users session.


Re: Downloadable ACL

CreatePlease login to create content