cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2172
Views
0
Helpful
3
Replies

cisco-av-pair

lbubblel
Level 1
Level 1

Hi all,

i'm trying to configure ACS Radius and a Pix to work as Proxy Cut-Through.

i wanna set up some acl to have a certain type of traffic for some users and another one for some others.

I tried by downloadable acl but it doesn't work (could it be caused from a bug on IOS?), now i'm tring to set up cisco-av-pair and i have another problem...

if i write

ip:inacl#1=permit tcp any any

ip:inacl#2=permit udp any any

ip:inacl#3=permit ip any any

ip:inacl#4=permit icmp any any

ip:inacl#5=deny tcp any any

it works fine... but if i configure with this one

ip:inacl#1=permit tcp any any eq 20

ip:inacl#2=permit udp any any eq 20

ip:inacl#3=permit ip any any eq 20

ip:inacl#5=permit tcp any any eq 21

ip:inacl#6=permit udp any any eq 21

ip:inacl#7=permit ip any any eq 21

ip:inacl#8=permit tcp any any eq 80

ip:inacl#9=permit ip any any eq 80

ip:inacl#101=deny tcp any any

ip:inacl#102=deny ip any any

ip:inacl#103=deny udp any any

the pix denies everything.

which is the mistake?

thanks in advaces.

3 Replies 3

darpotter
Level 5
Level 5

Note sure about the ACL problem... but I should point out that Downloadable ACLs were originally called "PIX Downloadable ACLs" and were written for the PIX!!

(one of my bits in ACS)

So do go back to the TAC to get this resolved as DACLs *should* work. There was a vulnerability we fixed that would require updates to the PIX OS to include some additional attributes in the DACL exchanges - could be that causing the problem.

Darran

premdeep.banga
Level 1
Level 1

Try...

ip:inacl#101=permit tcp any any eq 20

ip:inacl#102=permit udp any any eq 20

ip:inacl#103=permit ip any any eq 20

ip:inacl#104=permit tcp any any eq 21

ip:inacl#105=permit udp any any eq 21

ip:inacl#106=permit ip any any eq 21

ip:inacl#107=permit tcp any any eq 80

ip:inacl#108=permit ip any any eq 80

ip:inacl#109=deny tcp any any

ip:inacl#110=deny ip any any

ip:inacl#111=deny udp any any

guruprasad_2000
Level 1
Level 1

Hi,

Regarding the downloadable ACL,check that the ACL is asscoiated with the User/Group.

Regarding the AV pair,check that the PIX is receiving the ACL what you hav specified above

regards

sam