Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
660
Views
0
Helpful
3
Replies

ACS 3.1 and Local ACL on PIX problem

lukasmecir
Level 1
Level 1

‎03-01-2005 02:36 AM - edited ‎03-10-2019 02:02 PM

Hello,

I have this problem: I have some users, who connect to PIX-515 (OS 6.3.4) by Cisco VPN Client. Xauth is provided by ACS 3.1. It is works well. But now I need divide users to 2 groups and each group will have different ACL for access to inside network. I made appropriate users and group configuration on ACS. About ACLs on PIX I found this document (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/config/radacl.htm)

and I configured PIX and ACS according to part "RADIUS Specification of Local ACLs" - but it is not works. I can connect to PIX by VPN Client normally (authentication on ACS works well), but I have no access to inside network - it seems like ACL "deny ip any any" is apllied, but if I type "sh access-list" cmd on PIX, I cannot see it. Other two methods, mentioned in above mentioned document (ACL by AV pairs and Downloaded ACL) works well, but unfortunately Local ACLs is the most desirable method in this case. Could someone help me please with this? Is anything else, what must be configured? Thanks for reply.

Lukas Mecir, network specialist

Albit Technologies

Labels:
0 Helpful
3 Replies 3

lukasmecir
Level 1
Level 1
In response to umedryk

‎03-14-2005 04:42 AM

Hi,

sorry for late answer, but I was ill... :-( Thanks for advice, I tried configure authentication on PIX, but it does not work...

0 Helpful

lukasmecir
Level 1
Level 1
In response to lukasmecir

‎03-14-2005 05:28 AM

Here are some additional information:

PIX configuration: pls see attachment.

Here is excerpt from "debug radius" cmd output when I try connect through VPN:

pixfirewall# debug radius

(output ommited)

attribute:

type 11, length 12, content:

008209a0: 61 63 6c 3d 67 72 6f 75 70 33 | acl=group3

RADIUS_RCVD

It seems like ACS send to PIX the right ACL name (group3).

Output from show access-list cmd:

access-list VPN; 2 elements

access-list VPN line 1 permit ip 53.33.162.0 255.255.255.0 53.33.161.0 255.255.255.0 (hitcnt=4)

access-list VPN line 2 permit ip 53.33.163.0 255.255.255.0 53.33.161.0 255.255.255.0 (hitcnt=0)

access-list group3; 2 elements

access-list group3 line 1 permit ip 53.33.161.0 255.255.255.0 53.33.162.0 255.255.255.0 (hitcnt=0)

access-list group3 line 2 deny ip any any (hitcnt=0)

access-list dynacl2; 1 elements

access-list dynacl2 line 1 permit ip any host 53.33.161.1 (hitcnt=0)

It seems like destination host (53.33.162.1) send echo reply, PIX filter it for some reason. Can anyone help? Thanks in advance.

Lukas Mecir

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents