Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
4
Helpful
7
Replies

Cisco ise DACL for vpn connexion

Go to solution
MED Amine MB
Beginner
Beginner

‎05-15-2023 04:15 AM

Hello ,

I m trying to configure DACL on ise to allow vpn traffic to specific destinations. 

But after i configure them i get the auth logs as passed and authorized but on my machine it asks me to reconnect again and again. 

 

Can any one help me please. 

 

  • Regards, 
1 Accepted Solution

Accepted Solutions

Go to solution
MED Amine MB
Beginner
Beginner
In response to MED Amine MB

‎05-17-2023 06:09 AM - edited ‎05-17-2023 06:09 AM

Hello ,

 

i changed the syntax and it worked , the problem is i was using wildcad mask and all i had to do is to use regular mask .

 

regards ,

 

View solution in original post

7 Replies 7

Go to solution
ahollifield
VIP Collaborator VIP Collaborator
VIP Collaborator

‎05-15-2023 05:34 AM

Need some more detail here.  What is the NAD?  What version of ISE?  Is the dACL being applied?  

See: https://community.cisco.com/t5/security-knowledge-base/how-to-ask-the-community-for-help/ta-p/3704356

0 Helpful

Go to solution
MED Amine MB
Beginner
Beginner
In response to ahollifield

‎05-15-2023 08:13 AM

hello ,

My topology is like so :

users will connect to vpn configured on my FTD 

FTD then will send RADIUS requests to ISE

On the ISE i have two rules with itch have one groupe user from AD

and on those rules i want to permit access to certain destination and it doesn't seems to work as i see the logs everything is fine but the users still doesn't connect .

 

regards , 

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor
In response to MED Amine MB

‎05-15-2023 08:16 AM

config the VPN-filter under each group 
the ISE will only return the group of anyconnect and it will by default use the VPN-filter you use under that group 
no need dACL in this case

0 Helpful

Go to solution
MED Amine MB
Beginner
Beginner
In response to MHM Cisco World

‎05-15-2023 08:26 AM - edited ‎05-15-2023 08:28 AM

hello ,

 

accually my FTD is messed-up that's why i 'am using ISE for authentication i can't perform any filter or new configuration on it and the last solution i fund is to use DACL .

i used simple syntaxe like :

permit ip any X.X.X.X 0.0.255.255

permit ip any Y.Y.Y.Y 0.0.255.255

deny any any 

 

regards , 

Go to solution
ahollifield
VIP Collaborator VIP Collaborator
VIP Collaborator
In response to MED Amine MB

‎05-15-2023 08:43 AM

What do you mean you can’t perform any configuration changes? This is going to be impossible to troubleshoot/implement if you don’t have admin access to the FTD. IMHO, that issue needs to be fixed first.
0 Helpful

Go to solution
MED Amine MB
Beginner
Beginner
In response to MED Amine MB

‎05-17-2023 06:09 AM - edited ‎05-17-2023 06:09 AM

Hello ,

 

i changed the syntax and it worked , the problem is i was using wildcad mask and all i had to do is to use regular mask .

 

regards ,

 

Go to solution
MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

‎05-15-2023 06:46 AM

can I see the config of ASA/FPR?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents