Downloadable Access Control Lists

The PIX and CSACS support the capability to use downloadable ACLs, allowing you to create ACLs that are downloaded for a specific user or groups of users. The ACL can be downloaded during the authentication phase of a RADIUS connection, but TACACS+ does not support this feature. There are two types of downloadable access lists; named and unnamed.


Downloadable ACLs are supported only on RADIUS and not TACACS+.

Named ACL

Named ACL gives you the ability to name an ACL that is downloaded once to the PIX and shared between many users. If a newer ACL is on the server, the newer version is downloaded and shared among the users assigned to the named ACL. Named ACLs work best for several users who all need the same ACL control and when several PIX access servers need that same ACL list.

The following is an example of a downloaded named ACL:

 pixfirewall(config)# show access-list access-list #ACSACL#-PIX-MySharedACL-3ef2957b; 3 elements access-list #ACSACL#-PIX-MySharedACL-3ef2957b deny tcp any                 host eq ftp (hitcnt=0) access-list #ACSACL#-PIX-MySharedACL-3ef2957b deny tcp any                 host eq www (hitcnt=0) access-list #ACSACL#-PIX-MySharedACL-3ef2957b deny tcp any                 host eq telnet (hitcnt=0) 

The name of the list in the previous example is MySharedACL , and this list will be shared for all users who have been assigned the MySharedACL on the CSACS. The two tasks to configure named downloadable ACL within CSACS should be included here:

  1. From Shared Profile Components in CSACS, define the named downloadable ACL.

  2. From User Setup, apply the downloadable ACL to the corresponding users.

Unnamed ACLs

Unnamed ACLs are used to specify ACLs for individual users. The list created is used only by a single user, as opposed to a named ACL, which is shared. These lists are recommended only if each user requires an individual list.

An example of a downloaded unnamed ACL is shown here:

 pixfirewall(config)# show access-list access-list  AAA-user-daniel; 1 elements access-list  AAA-user-daniel deny tcp any any eq www (hitcnt=0) 

In the previous unnamed ACL example, an ACL is downloaded for a user named daniel and is used only by daniel .


Named ACLs are shared among several users and are downloaded only once during authentication. Unnamed ACLs are not shared and are downloaded during authentication.

CSPFA Exam Cram 2 (Exam 642-521)
CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)
ISBN: 0789730235
EAN: 2147483647
Year: 2003
Pages: 218 © 2008-2017.
If you may any questions please contact us: