Cisco ACS 4 and ASA downloadable ACL

alkabeer80 · ‎04-22-2013

Hi, i have cisco acs 4.2 authenticatin through AD and cisco asa 5540 ssl vpn using anyconnect is configured and working, i have configure group in AD so that users in this group can access specfic resourses and map the database also working, i am trying to configure another group with different set of ACL and map it to another group in AD, when ever i connect using new group i get the bellow error

Apr 22 2013 14:56:25 FW: %ASA-3-109032: Unable to install ACL 'AAA-user-usera-49ABDB07', downloaded for user usera; Error in ACE: 'permit ip any 10.10.0.0 255.255.0.0 ip:inacl#500=deny ip any any'

Apr 22 2013 14:56:25 FW: %ASA-6-716051: Group <AnyConnectSSLVPN> User <usera> IP <1.1.1.1> Error adding dynamic ACL for user.

Apr 22 2013 14:56:25 FW: %ASA-6-716009: Group <AnyConnectSSLVPN> User <usera> IP <1.1.1.1> WebVPN session not allowed. ACL parse error.

Apr 22 2013 14:56:25 FW: %ASA-6-716002: Group <AnyConnectSSLVPN> User <usera> IP <1.1.1.1> WebVPN session terminated: ACL Parse Error.

acl in ACS is : permit ip any host 2.2.2.2

plz help in this

Amjad Abdullah · ‎04-22-2013

Hi,

if the ACL mentions ip 2.2.2.2 why we see ip 1.1.1.1 in the logs?

Those logs on the ASA right?

Rating useful replies is more useful than saying "Thank you"

alkabeer80 · ‎04-22-2013

hi Amjad,

these are not the real logs:

1.1.1.1 is public ip address from outside, 2.2.2.2 is internal server

Amjad Abdullah · ‎04-22-2013

"Error in ACE:"

Are you using ACE?

You have same dACL configured under the other group that is working?

There is probably a missing point. If the ACS sends access accept then things should be fine.

Just make sure there is no missing piece of config under ACS. If things are fine you need probably to move your thread to the ASA/VPN sub-forums. They can probably help you better with this issue.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"