we are a relatively large company, and we are in the process of deploying a Cisco VPN solution based on ASA and ACS 5.1.
Our biggest problem at the moment is the management of downloadable ACLs. Technically it was no big deal to get that to work, but our company requirements in terms of limited network access will cause us to have more than 100 different downloadable ACLs that are of course overlapping.
My idea now was to organize them in snippets (like e.g you have a snippet to access the corporate email system, a snippet for ERP etc) and to create the ACLs from those snippets that will be stored in a database.
Has anybody done that yet, or is there any product that can do that?
On the ASA define your object-groups (these can be hosts/networks/ports etc..), then on the ACS reference that object-group in your acl.
on ASA side:
Object-group network mygroup
Network-object 10.1.1.1 255.255.255.0
Network-object 22.214.171.124 255.255.255.0
On the LDAP or RADIUS server in the user/group profile define: "ip:inacl#=permit ip any object-group mygroup"
Unfortunately, ACS 5.1 can only serve a static acl, not a combined acl derived from ex. multiple Active Directory groups, which is what i think you are looking for. This can be done on the ASA with DAPs, but all acl's will be on the ASA, not the ACS. Cisco say this might be coming to the next version of ACS.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...