Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Limit of dynamic access policies?

Hi,

Is there a maximum number of DAP supported by ASA 55XX 9.1 ?

Thanks for your information

Patrick         

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Limit of dynamic access policies?

Patrick,

No limit of policies is imposed, but under 100 is recommended (for high end deployments). Realistically 20-50 is what we see in most advanced deployments.

We impose limit on the amount of attributes (999) in DAP. 

M.

4 REPLIES
Cisco Employee

Limit of dynamic access policies?

Patrick,

No limit of policies is imposed, but under 100 is recommended (for high end deployments). Realistically 20-50 is what we see in most advanced deployments.

We impose limit on the amount of attributes (999) in DAP. 

M.

New Member

Limit of dynamic access policies?

Hi Marcin,

Thanks for your quick answer

we will have about 200 different profiles. (1 profile = 1 ACL = 1 LDAP group)

I wanted to configure one DAP by profile. ASA would check LDAP membership then push network ACL.

We have a 5585X for our production environnement. Do you think that it could work?

Or do you have a better idea?

Patrick

Cisco Employee

Limit of dynamic access policies?

Patrick,

Thinking out loud here, maybe without appreciating something grander.

LDAP-attribute-mapping  - map a attribute in LDAP to ACL (vpn-filter or similar)... depends how complicated the DAP policy would be...

M.

New Member

Limit of dynamic access policies?

In my case, it could work if a user is member of groups which are explicitly mapped to ACL.

If he belongs to other groups, ASA will try to map those groups to ACL then we will get this error:


%ASA-4-113030: Group group User user IP ipaddr User ACL acl from AAA 
doesn't exist on the device, terminating connection.

The specified ACL was not found on the ASA.

And it wont work.

I will think about using specific LDAP attribute but this will bring other problems (Directory process...)

If you have other ideas, I would be glad to test them

Otherwise I will choose between DAP or LDAP mapping...

Thanks again Marcin !!

Patrick

285
Views
0
Helpful
4
Replies
CreatePlease login to create content