https://community.cisco.com/t5/network-security/downloadable-pix-acl/m-p/79364#M661468 <P>Dear All:</P><P>I had ACS 3.0 it's for VPN client 3.5 authentication and authorization , i can authentication</P><P>successful,But i couldn't authorization for VPN client,When i setting "downloadable PIX ACL",</P><P>as bellow is my definition</P><P>permit tcp any host 192.168.53.201 eq 23</P><P>permit tcp any host 192.168.53.201 eq 80</P><P>I would to know that config is correct or other way that can restriction VPDN clinet </P><P>only access 23 and 80 port number on 192.168.53.201 server</P><P></P><P>[PIX-Config]</P><P>ip local pool ippool 10.10.10.1-10.10.11.254</P><P>access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.10.0 255.255.255.0</P><P>nat (inside) 0 access-list 100</P><P>aaa-server authme protocol tacacs+ </P><P>aaa-server authme (inside) host 192.168.53.100 cisco1234 timeout 10</P><P>sysopt connection permit-ipsec</P><P>no sysopt route dnat</P><P>crypto ipsec transform-set myset esp-des esp-md5-hmac </P><P>crypto dynamic-map dynmap 10 set transform-set myset</P><P>crypto map mymap 10 ipsec-isakmp dynamic dynmap</P><P>crypto map mymap client configuration address initiate</P><P>crypto map mymap client configuration address respond</P><P>crypto map mymap client authentication authme</P><P>crypto map mymap interface outside</P><P>isakmp enable outside</P><P>isakmp identity address</P><P>isakmp client configuration address-pool local ippool outside</P><P>isakmp policy 10 authentication pre-share</P><P>isakmp policy 10 encryption des</P><P>isakmp policy 10 hash md5</P><P>isakmp policy 10 group 2</P><P>isakmp policy 10 lifetime 33600</P><P>vpngroup vpn3000 address-pool ippool</P><P>vpngroup vpn3000 dns-server 192.168.50.100</P><P>vpngroup vpn3000 wins-server 192.168.50.200</P><P>vpngroup vpn3000 default-domain abcd.com</P><P>vpngroup vpn3000 idle-time 1800</P><P>vpngroup vpn3000 password ********</P><P></P><P>Pls in advice</P> Fri, 21 Feb 2020 06:09:50 GMT emily 2020-02-21T06:09:50Z https://community.cisco.com/t5/network-security/downloadable-pix-acl/m-p/79364#M661468 <P>Dear All:</P><P>I had ACS 3.0 it's for VPN client 3.5 authentication and authorization , i can authentication</P><P>successful,But i couldn't authorization for VPN client,When i setting "downloadable PIX ACL",</P><P>as bellow is my definition</P><P>permit tcp any host 192.168.53.201 eq 23</P><P>permit tcp any host 192.168.53.201 eq 80</P><P>I would to know that config is correct or other way that can restriction VPDN clinet </P><P>only access 23 and 80 port number on 192.168.53.201 server</P><P></P><P>[PIX-Config]</P><P>ip local pool ippool 10.10.10.1-10.10.11.254</P><P>access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.10.0 255.255.255.0</P><P>nat (inside) 0 access-list 100</P><P>aaa-server authme protocol tacacs+ </P><P>aaa-server authme (inside) host 192.168.53.100 cisco1234 timeout 10</P><P>sysopt connection permit-ipsec</P><P>no sysopt route dnat</P><P>crypto ipsec transform-set myset esp-des esp-md5-hmac </P><P>crypto dynamic-map dynmap 10 set transform-set myset</P><P>crypto map mymap 10 ipsec-isakmp dynamic dynmap</P><P>crypto map mymap client configuration address initiate</P><P>crypto map mymap client configuration address respond</P><P>crypto map mymap client authentication authme</P><P>crypto map mymap interface outside</P><P>isakmp enable outside</P><P>isakmp identity address</P><P>isakmp client configuration address-pool local ippool outside</P><P>isakmp policy 10 authentication pre-share</P><P>isakmp policy 10 encryption des</P><P>isakmp policy 10 hash md5</P><P>isakmp policy 10 group 2</P><P>isakmp policy 10 lifetime 33600</P><P>vpngroup vpn3000 address-pool ippool</P><P>vpngroup vpn3000 dns-server 192.168.50.100</P><P>vpngroup vpn3000 wins-server 192.168.50.200</P><P>vpngroup vpn3000 default-domain abcd.com</P><P>vpngroup vpn3000 idle-time 1800</P><P>vpngroup vpn3000 password ********</P><P></P><P>Pls in advice</P> Fri, 21 Feb 2020 06:09:50 GMT https://community.cisco.com/t5/network-security/downloadable-pix-acl/m-p/79364#M661468 emily 2020-02-21T06:09:50Z https://community.cisco.com/t5/network-security/downloadable-pix-acl/m-p/79365#M661481 <HTML><HEAD></HEAD><BODY><P>There's a current bug (CSCdx47975) where downloadable ACL's do not work for VPN users, only for users doing passthru authentication. The workaround is to define the ACL on the PIX, then just pass down the ACL number (rather than the whole ACL) and that ACL will be assigned to that user.</P><P></P><P>There's a sample config here:</P><P></P><P> <A class="jive-link-custom" href="http://www.cisco.com/warp/public/110/pixcryaaa52.shtml" target="_blank">http://www.cisco.com/warp/public/110/pixcryaaa52.shtml</A></P><P></P><P>Basically do the following:</P><P></P><P> access-list 150 permit tcp any host 192.168.53.201 eq 23 </P><P> access-list 150 permit tcp any host 192.168.53.201 eq 80 </P><P></P><P>on the PIX, then on the ACS server just send down the ACL number 150 and that will be applied ot the VPN user.</P><P></P></BODY></HTML> Wed, 17 Jul 2002 00:09:09 GMT https://community.cisco.com/t5/network-security/downloadable-pix-acl/m-p/79365#M661481 gfullage 2002-07-17T00:09:09Z