Header
Home | Set as homepage | Add to favorites
  Search the Site     » Advanced Search
Sections
Syndication


Blogroll:

||||| ALL Cisco-Network ARTICLES |||||  
CCIE Journey,
The CCIE Journey,

Home : CCSP-Cisco Certified Security Professional : Downloadable ACLs

Downloadable ACLs

Feb 04,2010 by alperen

small font medium font large font
image

Downloadable ACLs

In Chapter 8, you learned about the CBAC Authentication Proxy feature of the Cisco Secure IOS PIX feature set. This feature allowed ACEs to be downloaded on a per-user or a per-group basis from an AAA server. These ACEs were based on either user or group profile entries added to the Cisco Secure ACS configuration.

The PIX Firewall version 6.2 introduced a similar feature when using a RADIUS server for AAA and Cisco Secure ACS 3.0 or later (Windows). Access lists are configured on the AAA server, and then downloaded to a PIX Firewall during user authentication, eliminating the need to be configured separately on the PIX Firewall. This feature improves scalability when using access lists for individual users. Currently, the feature isn’t supported for TACACS+ servers or UNIX ACS.

No additional configuration is needed for the firewall once AAA authorization is configured. The next chapter looks at configuring the Cisco Secure ACS server. Adding downloadable ACLs is covered briefly then.

Cisco Secure ACS Configuration

Remember, as a new feature in the PIX Firewall v6.2 and Cisco Secure ACS v3.0 for Windows, changes and additional options can be expected. Be sure to check the Cisco web site for the latest instructions.

Downloading an ACL

The actual ACL entries can be named or unnamed ACLs, depending on whether the ACL will ultimately be used by multiple users. A named ACL should be used when frequent requests occur for downloading a large access list. With a named ACL, after authentication, the ACS server sends the ACL name to the PIX Firewall to see if the ACL already exists. If not, the PIX Firewall requests the ACL to be downloaded. A named ACL isn’t down loaded again as long as it exists on the PIX Firewall. Unnamed ACLs are always downloaded, so they should be used for unique or short ACLs.

Recognize that not all ACL statements supported by the Cisco IOS software are implemented the same on the PIX Firewall and vice versa. Because no immediate error or typo feedback exists when configuring an ACL on a AAA server, double-checking your work and testing your results is important.

Downloadable Named ACL

The basic Cisco Secure ACS configuration for a named downloadable ACL includes

  1. On the Shared Profile Component (SPC) menu, select Downloadable PIX ACLs.

  2. Click Add to create an ACL definition with the acl_name, description, and the ACL definition. The ACL definition consists of one or more valid PIX Firewall ACL statements, each on a separate line. Each command is entered without the keyword access-list and the acl_name (acs_1, as you see in the following). The following is an example:

    Shared profile Components
    Name: acs_1
    Description:  Basic PIX access example
    ACL Definitions
    permit tcp any host 10.1.2.3
    permit udp any host 10.1.2.3
    permit icmp any host 10.1.2.3
        (balance omitted)

    Because more than one user or group on the PIX Firewall could have the same ACL lines, the firewall creates a unique acl_id by concatenating #ACSACL#-PIX- + acl_name- + unique_num. Acl_name is the ACL name from the SPC and unique_num is a unique version ID. The following sample is downloaded from the previous entries:

    access-list #ACSACL#-PIX-acs_1-4b4119d5 permit tcp any host 10.1.2.3
    access-list #ACSACL#-PIX-acs_1-4b4119d5 permit udp any host 10.1.2.3
    access-list #ACSACL#-PIX-acs_1-4b4119d5 permit icmp any host 10.1.2.3
        (balance omitted)

  3. Use User Setup or Group Setup to include the ACL in the user/group settings.

    Next, enable downloadable ACLs by following these steps:

  4. From the ACS main menu, choose Interface Configuration.

  5. Choose Advanced Options from the resulting Interface Configuration menu.

  6. Depending on how the ACL is to be applied, check either or both of the following:

    User-Level Downloadable ACLs

    Group-Level Downloadable ACLs

Downloadable Unnamed ACL

To create a user authentication profile for downloadable unnamed ACLs, perform the following steps on the AAA RADIUS server:

  1. On Group Setup or User Setup, choose Cisco IOS/PIX RADIUS Attributes.

  2. In the cisco-av-pair field, type the ACL entries, using the following syntax:

    ip:inacl#nnn=acl_command

    ip:inacl#

    Keyword string that specifies an input ACL.

    nnn

    Integer (0 to 999999999) that creates a final sequence order for the ACL statements on the PIX Firewall. Any command with the same nnn, including the default 0, will appear in the order created.

    acl_command

    One or more ACL statements without keyword access-list or acl_name.

The PIX Firewall assigns a name to a downloaded, unnamed ACL, using the following syntax where username is the user name of the authenticated user.

AAA-user-username

The following entries demonstrate the syntax and the capability to manage the sequence of statements. This latter feature would be a tremendous improvement to regular ACLs.

ip:inacl#5=permit tcp any host 10.1.2.3
ip:inacl#15=permit icmp any host 10.1.2.3
ip:inacl#10=permit udp any host 10.1.2.3
ip:inacl#100=deny tcp any any
ip:inacl#100=deny udp any any

The downloaded ACEs on a PIX Firewall would look like the following. Notice that the permit udp statement precedes the permit icmp statement because of the sequence numbers.

access-list aaa-user-jkeely permit tcp any host 10.1.2.3
access-list aaa-user-jkeely permit udp any host 10.1.2.3
access-list aaa-user-jkeely permit icmp any host 10.1.2.3
access-list aaa-user-jkeely deny tcp any any
access-list aaa-user-jkeely deny udp any any

At a later time, you could add the following line to the configuration. The sequence number 3 would make it the first statement in the downloaded ACL the next time it’s called.

ip:inacl#3=deny tcp 10.5.5.0 255.255.255.0 host 10.1.2.3

2860 times read

Related news
» User Profiles and Dynamic ACL Entries
by alperen posted on Sep 16,2009
» TurboACL
by alperen posted on Feb 04,2010
» AAA Server Configuration
by alperen posted on Sep 17,2009
» Clearing the auth-proxy Cache Displaying Dynamic ACL Entries
by alperen posted on Sep 20,2009
» Named Access Lists
by alperen posted on Mar 24,2010
Did you enjoy this article?
1 2 3 4 5
(total 0 votes)

comment Comments (0 posted) 

More Top News
CCSP-Cisco Certified Security Professional
arrow Cisco SAFE Implementation
arrow Preparation Documents
arrow Exam Topics
arrow Skills Required for the Exam
arrow Cisco SAFE Implementation Questions and Answers
arrow Access Control Lists Cisco
arrow Access List Basics
arrow Standard Access Lists
arrow Verifying ACLs
arrow Extended Access Lists
arrow TCP Access Lists
arrow UDP Access Lists
arrow ICMP Access Lists
arrow Named Access Lists
arrow Signature and Alarm Management Review
arrow Signature and Alarm Management Review Questions and Answers
arrow Event Viewer
arrow Managing Alarms
arrow Event Viewer Customization
arrow Preference Settings
arrow Sensor Installation
arrow Connecting to Your Network Sensor Appliance
arrow Sensor Bootstrap
arrow Sensor Installation and Configuration Review
arrow Sensor Installation and Configuration Questions and Answers
arrow Signature and Alarm Management
arrow CIDS Signatures
arrow Signature Series
arrow Signature Implementations
arrow Signature Classes
arrow Signature Types
arrow Signature Severity
Most Popular
Most Commented
Featured Author

admin

image
<| Cisco Articles | Maximum Learning | All Cisco-Network Study Notes | Privacy Policy |>
If you think you own the material being used without permission, contact alperenmad[at]hotmail.com. material will be removed from the site.