Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1242
Views
0
Helpful
2
Replies

Downloadable ACL restrictions

d_jabsd
Level 1
Level 1

‎06-08-2004 11:00 AM - edited ‎03-10-2019 07:51 AM

We are using M$ IAS for VPN authentication and are trying to get our ACLs tightened up a bit.

Is it possible to restrict access to specific ports in dowmloadable ACLs?

For testing purposes, I am trying to limit traffic to just dns queries.

As you can see from the ACL, if I try to limit by port, the rule is bypassed.

Here are the two lists I have tried so far:

access-list VPNlevel4 line 1 permit udp VPN-USER-NET 255.255.255.0 host ADC02 eq domain (hitcnt=0)

access-list VPNlevel4 line 2 permit udp VPN-USER-NET 255.255.255.0 host ADC03 eq domain (hitcnt=0)

access-list VPNlevel4 line 3 permit udp VPN-USER-NET 255.255.255.0 host NS01 eq domain (hitcnt=0)

access-list VPNlevel4 line 4 permit udp VPN-USER-NET 255.255.255.0 host NS02 eq domain (hitcnt=0)

access-list VPNlevel4 line 5 permit ip VPN-USER-NET 255.255.255.0 host ADC02 (hitcnt=2)

access-list VPNlevel4 line 1 permit udp VPN-USER-NET 255.255.255.0 host ADC02 eq domain (hitcnt=0)

access-list VPNlevel4 line 2 permit udp VPN-USER-NET 255.255.255.0 host ADC03 eq domain (hitcnt=0)

access-list VPNlevel4 line 3 permit udp VPN-USER-NET 255.255.255.0 host NS01 eq domain (hitcnt=0)

access-list VPNlevel4 line 4 permit udp VPN-USER-NET 255.255.255.0 host NS02 eq domain (hitcnt=0)

access-list VPNlevel4 line 5 permit udp VPN-USER-NET 255.255.255.0 any eq domain (hitcnt=0)

access-list VPNlevel4 line 6 permit udp VPN-USER-NET 255.255.255.0 any (hitcnt=9)

Is what I'm trying to do possible?

Thank you in advance for your help.

.daniel.schrock

Labels:
0 Helpful
2 Replies 2

mhoda
Level 5
Level 5

‎06-08-2004 11:08 AM

Hi,

I know this is possible with the Cisco Secure ACS on Wondows/Appliance, not sure if you can define ACL on the Microsoft IAS Radius Server. If you can, then, it is possible. No restrictions on Cisco devices.

Thanks,

Mynul

0 Helpful

d_jabsd
Level 1
Level 1
In response to mhoda

‎06-08-2004 11:33 AM

IAS is setting the correct acl. This is defined by giving the Cisco-AV-Pair attribute the value of acl= in the Remote Access Policy.

This is working fine but the current acls consist of 'permit ip VPN-USER-NET 255.255.255.0 any', which is far from ideal.

Does anyone have any idea why rules that are restricted to specific ports aren't working? I would like to completely lock down the VPN access-lists as we have different groups of users that should have different levels of access.

0 Helpful
Customers Also Viewed These Support Documents