11-17-2004 09:39 AM - edited 02-21-2020 10:11 AM
Good day all,
I am just working on a test project using a PIX 535 and a cisco ACS (we are using Radius) and I need to find out which order the pix ACLs get applied.
On the pix we have a basic set of rules (https, ssh), then the user get authenticated and they get more rules (https, ssh, pop3, imap, im). This works out great, but now we have run into a problem, can you use the ACSACL rules to take away rights from the default inside rules on the pix?
Basically I am curious what order the pix parses the ACLs, (ACSACL then pix ACL, pix ACL the ACSACL, or none of the above)
any links on more information concerning this would be great.
Thanks for any information,
Brian
Solved! Go to Solution.
11-18-2004 07:37 AM
I've done some testing with ACLs applied by a Radius server on a PIX 525 running 6.3.3.
In my particular case, the user is a remote VPN connection. I have ACL's applied on the outside interface, and then in Radius I applied the specific user against another ACL.
The ACL on the outside interface is applied first. The downloadable ACL can't add services that aren't listed on the other ACL, however, it can deny and remove services.
You might be using your ACL's in a different way than I am though. I'm using a third party Radius server and making use of the extended ACL's via the Filter-Id attribute.
Cheers,
-Joshua
11-17-2004 10:51 AM
Hi brian,
what I can think of, is that the ACS ACL will be on the top of the list, followed by the PIX ACL. This will deny the protocols and ports for the particular user/group and then act upon what ever is configured on the PIX. this sounds logical.
you can test this practically and let us know..
All the best ..
11-18-2004 07:37 AM
I've done some testing with ACLs applied by a Radius server on a PIX 525 running 6.3.3.
In my particular case, the user is a remote VPN connection. I have ACL's applied on the outside interface, and then in Radius I applied the specific user against another ACL.
The ACL on the outside interface is applied first. The downloadable ACL can't add services that aren't listed on the other ACL, however, it can deny and remove services.
You might be using your ACL's in a different way than I am though. I'm using a third party Radius server and making use of the extended ACL's via the Filter-Id attribute.
Cheers,
-Joshua
11-18-2004 08:14 AM
Thanks for the reply,
After further testing that is what I discovered as well. Now here is the kicker, is that documented anywhere on cisco's site? I have combed over everything I could get my hands on (I am registered with CCO so I can see no public items as well) and did not see any mention of this "functionality".
Thanks again,
Brian
11-18-2004 10:20 AM
Actually, I never found much information on the CCO site about the downloadable ACL's either. In my particular case, I found what I needed from this site, because I don't use Cisco ACS..
http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html
Cheers,
-Joshua
11-22-2004 02:03 PM
Hey Brian,
I also am having the same issue. In answer to your question I have never seen any information on the way this is processed. To me this seems like a useless feature unless you are requiring authentication on all traffic. It makes no sense at all. Not that I can help but at least I can say you aren't the only one :)
Tony
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide