Wednesday, March 10, 2021

dACL on Firepower

The goal: Get a user to use a specific seperate ACL when connecting on anyconnect (as to avoid the configured access-policy on the FTD, as this user needs special access). Method attempted: dynamic ACL created on ISE and pushed to the 2130 to be applied as a VPN-filter for that particular user.

As such I'm trying to test downloadable ACLs, so that a specific user can have a completely difference access-list applied to them when they login to our anyconnect VPN (i.e. the goal was to try and make the firepower box ignore the configured access-policy, and instead use the downloaded ACL as a VPN-Filter instead).

What happened When creating and applying a dACL on ISE, and pushing that radius attribute to the FTD for that user, the firewall definitely is applying that acl as a VPN filter (on #show vpn-sessiondb detail anyconnect I see the ACL applied in the "Filter Name" field); additionally I see hit counts on that downloaded ACL via #sh access-list. However, it seems that the user is still subject to further processing whereby the 2130's regular access-policy is then checked as the traffic comes into the firewall.

The order of operations seems to be:

  • Check vpn filter for access-control
  • If traffic is permitted in this vpn filter ACL, then check the access-policy on the 2130
  • If you get a permit in both statements above, then allow the traffic

This is totally not what I wanted. I want a specific ACL that over-rides the interface ACL, OR, applies an ACL AFTER the processing of the original firepower device/interface ACL. How do I achieve that?

Please no replies regarding ASA code, as the config options are completely different. Also note: I'm on testing on FTD code 6.6.1



No comments:

Post a Comment