Chapter 5 Shared Profile Components
Downloadable IP ACLs
5-10
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Examples of Cisco devices that support downloadable IP ACLs are:
•PIX Firewalls
•VPN 3000-series concentrators
•Cisco devices running IOS version 12.3(8)T or greater
An example of the format you should use to enter PIX Firewall ACLs in the ACL
Definitions box follows:
permit tcp any host 10.0.0.254
permit udp any host 10.0.0.254
permit icmp any host 10.0.0.254
permit tcp any host 10.0.0.253
An example of the format you should use to enter VPN 3000 ACLs in the ACL
Definitions box follows:
permit ip 10.153.0.0 0.0.255.255 host 10.158.9.1
permit ip 10.154.0.0 0.0.255.255 10.158.10.0 0.0.0.255
permit 0 any host 10.159.1.22
deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log
permit TCP any host 10.160.0.1 eq 80 log
permit TCP any host 10.160.0.2 eq 23 log
permit TCP any host 10.160.0.3 range 20 30
permit 6 any host HOSTNAME1
permit UDP any host HOSTNAME2 neq 53
deny 17 any host HOSTNAME3 lt 137 log
deny 17 any host HOSTNAME4 gt 138
deny ICMP any 10.161.0.0 0.0.255.255 log
permit TCP any host HOSTNAME5 neq 80
For detailed ACL definition information, see the command reference section of
your device configuration guide.
Adding a Downloadable IP ACL
Before You Begin
You should have already configured any NAFS that you intend to use in your
downloadable IP ACL.