03-01-2005 02:36 AM - edited 03-10-2019 02:02 PM
Hello,
I have this problem: I have some users, who connect to PIX-515 (OS 6.3.4) by Cisco VPN Client. Xauth is provided by ACS 3.1. It is works well. But now I need divide users to 2 groups and each group will have different ACL for access to inside network. I made appropriate users and group configuration on ACS. About ACLs on PIX I found this document (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/config/radacl.htm)
and I configured PIX and ACS according to part "RADIUS Specification of Local ACLs" - but it is not works. I can connect to PIX by VPN Client normally (authentication on ACS works well), but I have no access to inside network - it seems like ACL "deny ip any any" is apllied, but if I type "sh access-list" cmd on PIX, I cannot see it. Other two methods, mentioned in above mentioned document (ACL by AV pairs and Downloaded ACL) works well, but unfortunately Local ACLs is the most desirable method in this case. Could someone help me please with this? Is anything else, what must be configured? Thanks for reply.
Lukas Mecir, network specialist
Albit Technologies
03-07-2005 07:16 AM
03-14-2005 04:42 AM
Hi,
sorry for late answer, but I was ill... :-( Thanks for advice, I tried configure authentication on PIX, but it does not work...
03-14-2005 05:28 AM
Here are some additional information:
PIX configuration: pls see attachment.
Here is excerpt from "debug radius" cmd output when I try connect through VPN:
pixfirewall# debug radius
(output ommited)
attribute:
type 11, length 12, content:
008209a0: 61 63 6c 3d 67 72 6f 75 70 33 | acl=group3
RADIUS_RCVD
It seems like ACS send to PIX the right ACL name (group3).
Output from show access-list cmd:
access-list VPN; 2 elements
access-list VPN line 1 permit ip 53.33.162.0 255.255.255.0 53.33.161.0 255.255.255.0 (hitcnt=4)
access-list VPN line 2 permit ip 53.33.163.0 255.255.255.0 53.33.161.0 255.255.255.0 (hitcnt=0)
access-list group3; 2 elements
access-list group3 line 1 permit ip 53.33.161.0 255.255.255.0 53.33.162.0 255.255.255.0 (hitcnt=0)
access-list group3 line 2 deny ip any any (hitcnt=0)
access-list dynacl2; 1 elements
access-list dynacl2 line 1 permit ip any host 53.33.161.1 (hitcnt=0)
It seems like destination host (53.33.162.1) send echo reply, PIX filter it for some reason. Can anyone help? Thanks in advance.
Lukas Mecir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide