08-01-2008 01:40 AM - edited 03-10-2019 04:00 PM
Hello everyone
We have a setup including Cisco ACS + a VPN 3005 Concentrator and a PIX 515E (7.2.4)
We upgraded the PIX version from 7.0 to 7.2.4 and suddenly our downloadable access-list was getting refused when users authenticated against the ACS.
When debuging radius in the PIX we found that entering this line in the downloadable access-list give error and stop the users of getting the ACL.
"deny ip any 192.168.0.0 0.0.255.255"
PIX refused to process their auth request when encountering this line.
Fine we said, we changed the ACL syntax to this : deny ip any 192.168.0.0 255.255.0.0
This made the PIX process the ACL.
We were happy for awhile until VPN users started to complain.
It seems that the VPN 3005 cant deal with the syntax we entered in the PIX!
The VPN 3005 doesnt seem to be able to handle the acl line "deny ip any 192.168.0.0 255.255.0.0" !
It can only handle "deny ip any 192.168.0.0 0.0.255.255" !
Which the PIX cant handle..
I'm a loss at what to do here..
We got VPN users who cant surf now with these ACL problems.
What can I do? Anyone else encountered this?
We upgraded the VPN 3005 to the lastest SW version
Really need some help here guys!
Thanks
Solved! Go to Solution.
08-03-2008 06:34 PM
I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a2.html#wp1622944
Please Rate if helpful.
Regards
Farrukh
08-03-2008 12:44 AM
Well, Cisco changed the support for wildcard mask in the 7.0.4 release it seems, switching them into subnet mask instead..
Downgrading to 6.3 and then upgrading to 7.0.1 once again..
damn!
08-03-2008 06:34 PM
I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a2.html#wp1622944
Please Rate if helpful.
Regards
Farrukh
08-03-2008 06:51 PM
Thank you Farrukh
I wonder why the pix removed this when I did the 7.0.1->7.2.4 software upgrade?
Now I dont have to downgrade and re-upgrade again :)
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide