I’m in the middle of migrating from our VPN3k to using our ASA’s to terminate the VPN connections.  Everything was going along smoothly until I noticed that I couldn’t authenticate using an account in a specific group on our ACS server.  I did a RADIUS debug and some Googling and discovered that the VPN3k uses wildcard masking in its downloadable ACLs, while the ASA expects ACLs to use VLSM masks.

After a few minutes of looking through the multiple groups on the ACS server I discovered that lots of them had downloadable ACLs and I figured I was going to have to re-write them all as I migrated those users over to the ASA.  I took a few aspirin to quell the building headache and then started doing some keyword searches and found a way around all that extra work.  A lovely little command called acl-netmask-convert.

The default value for this command is “standard”, but after changing it to “wildcard” I was able to authenticate without issue.  I then tested the efficacy of the downloadable ACL and found it worked the same as it did with the VPN3k.

Thank you Cisco!  :0)