I’m in the middle of migrating from our VPN3k to using our ASA’s to terminate the VPN connections.  Everything was going along smoothly until I noticed that I couldn’t authenticate using an account in a specific group on our ACS server.  I did a RADIUS debug and some Googling and discovered that the VPN3k uses wildcard masking in its downloadable ACLs, while the ASA expects ACLs to use VLSM masks.

After a few minutes of looking through the multiple groups on the ACS server I discovered that lots of them had downloadable ACLs and I figured I was going to have to re-write them all as I migrated those users over to the ASA.  I took a few aspirin to quell the building headache and then started doing some keyword searches and found a way around all that extra work.  A lovely little command called acl-netmask-convert.

The default value for this command is “standard”, but after changing it to “wildcard” I was able to authenticate without issue.  I then tested the efficacy of the downloadable ACL and found it worked the same as it did with the VPN3k.

Thank you Cisco!  :0)

A few days ago I was writing a regular expression for a string match on one of the ASAs at work.  It should have been a simple exercise as all I wanted to do was block files with the “.lnk” extension via http inspection.  After perusing my notes, I came up with this: “\.[Ll][Nn][Kk]$”.  I thought to my self, “Great! That should take care of the file no matter what case letters are used.”  How wrong I was.

I attempted to test the regex using the fantastic test feature in the ASA.  I checked it against “file.lnk” and was quite surprised when the message came up “match failed”.  After much searching through the ASA documentation pertaining to regular expressions I noticed that while there was mention of the beginning of line anchor “^”, the end of line anchor “$” was missing.  Figuring it must be an oversight in the documentation, I checked the documentation of the IPS, which also supports regex string matching, and sure enough, there was the “$” fully documented.  I tried several variations of the regex and finally achieved a partial success by leaving off the end line anchor.  While this did match “file.lnk”, it also matched “www.lnk.mydomain.com”.  I worked with some of the folks in our Systems department and they assured me that the way I had originally written the regex string should have worked.

With no success finding an answer via web search, I posted on the Cisco Support Community forums.  Within a few hours I got a reply from a TAC engineer who relayed the following to me: “The ASA/PIX Regex engine does not support the end of string anchor ($). Bug CSCsm89915 has been filed as an enhancement to get this functionality into the regex engine. Unfortunately there has been no movement on that enhancement sine 2008.”

I am at a loss as to why something that one would think it would a relatively minor fix like this has yet to be corrected.  Regular expressions are very powerful and highly useful tools.  I realize that I can work around this by adding additional “match not” statements and additional regex strings, but this really shouldn’t be necessary.

I guess I’ll email our Cisco account rep and ask him to drive the bug as was suggested by the TAC engineer.