I'd to have multiple ACLs downloaded to a FWSM from my ACS server (3.3) when an outside user logs in, triggered by http or ssl. To clarify, I'd like to have unique default acls applied to my inside and dmz interfaces when no one is logged in. When a specific user logs in I'd like to replace the default inside and dmz interface acls with new ones. These acls will also differ from each other as well.
If this is possible, is there any guarantee in which order the acls will be applied upon user login?
The goal is to create a lock-step process so that a dual homed machine is never able to access both its dmz and inside interfaces when an outside user is logged in. Hopes this makes some sort of sense.
Thanks Troy, I did see some alerts regarding ACS and DACL vulnerabilities, but I'll check on the FWSM explicitly, I hadn't done that yet. I could do this with 525's so the FWSM issues isn't a show stopper.
I assume that the firewall will download the group/user ACL to the interface that is referenced in the command:
aaa authentication match acl-name interface-name server-tag
So it seems that if I had multiple statements like the one above pointing to different interfaces the same user would download the same acl associated with him or his group. So if I wanted the ACLs to be different on each interface I'm SOL.
Could I have 2 different users download a different ACL to different i/f's?
If I had 2 different users download 2 different ACL's to the same i/f, how does the PIX deal with that?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :