Solved: Re: PIX and ACS Downloadable ACL Question

bmorgan · ‎11-17-2004

Good day all,

I am just working on a test project using a PIX 535 and a cisco ACS (we are using Radius) and I need to find out which order the pix ACLs get applied.

On the pix we have a basic set of rules (https, ssh), then the user get authenticated and they get more rules (https, ssh, pop3, imap, im). This works out great, but now we have run into a problem, can you use the ACSACL rules to take away rights from the default inside rules on the pix?

Basically I am curious what order the pix parses the ACLs, (ACSACL then pix ACL, pix ACL the ACSACL, or none of the above)

any links on more information concerning this would be great.

Thanks for any information,

Brian

dro · ‎11-18-2004

I've done some testing with ACLs applied by a Radius server on a PIX 525 running 6.3.3.

In my particular case, the user is a remote VPN connection. I have ACL's applied on the outside interface, and then in Radius I applied the specific user against another ACL.

The ACL on the outside interface is applied first. The downloadable ACL can't add services that aren't listed on the other ACL, however, it can deny and remove services.

You might be using your ACL's in a different way than I am though. I'm using a third party Radius server and making use of the extended ACL's via the Filter-Id attribute.

Cheers,

-Joshua

View solution in original post

sachinraja · ‎11-17-2004

Hi brian,

what I can think of, is that the ACS ACL will be on the top of the list, followed by the PIX ACL. This will deny the protocols and ports for the particular user/group and then act upon what ever is configured on the PIX. this sounds logical.

you can test this practically and let us know..

All the best ..

dro · ‎11-18-2004

I've done some testing with ACLs applied by a Radius server on a PIX 525 running 6.3.3.

In my particular case, the user is a remote VPN connection. I have ACL's applied on the outside interface, and then in Radius I applied the specific user against another ACL.

The ACL on the outside interface is applied first. The downloadable ACL can't add services that aren't listed on the other ACL, however, it can deny and remove services.

You might be using your ACL's in a different way than I am though. I'm using a third party Radius server and making use of the extended ACL's via the Filter-Id attribute.

Cheers,

-Joshua

bmorgan · ‎11-18-2004

Thanks for the reply,

After further testing that is what I discovered as well. Now here is the kicker, is that documented anywhere on cisco's site? I have combed over everything I could get my hands on (I am registered with CCO so I can see no public items as well) and did not see any mention of this "functionality".

Thanks again,

Brian

dro · ‎11-18-2004

Actually, I never found much information on the CCO site about the downloadable ACL's either. In my particular case, I found what I needed from this site, because I don't use Cisco ACS..

http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html

Cheers,

-Joshua

tonynt · ‎11-22-2004

Hey Brian,

I also am having the same issue. In answer to your question I have never seen any information on the way this is processed. To me this seems like a useless feature unless you are requiring authentication on all traffic. It makes no sense at all. Not that I can help but at least I can say you aren't the only one :)

Tony