04-09-2009 01:19 AM - edited 03-10-2019 04:25 PM
I'm currently able to logon to my internal network 192.168.4.0/24 but not able to get my incoming ACS downloadable ACL working. Combination:
PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5.
This is my list:
permit ip host 192.168.4.200 any (where any can be 192.168.5.1 - 10)
deny ip any any
I'm still able to ping other machines in subnet 4 from source address 192.168.5.1
I've already checked this link:
but in my config there is no statement:
sysopt ipsec pl-compatible
The only system option that I use is:
sysopt connection permit-ipsec
Does anyone have an idea?
Regards, Peter
04-15-2009 05:08 AM
The Downloadable IP Access Control List (ACL) feature found in Cisco Secure Access Control Server (CS ACS) for Windows versions 3.0 through 3.3.3 may allow an unauthorized user to gain network access through a Remote Access Server or Network Access Server (RAS/NAS).
This issue has been resolved in CS ACS Version 4.0.1 as well as PIX version 6.3(5), PIX/ASA 7.0(2), Cisco IOS® Software Version 12.3(8)T4 and VPN 3000 versions 4.0.5.B and 4.1.5.B If the ACS server is upgraded to software version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected.
04-17-2009 12:15 AM
Hi,
I don't understand your reaction as I'm currently running PIX605E 6.3(5) and ACS 4.1(1) Build 23 Patch 5.
Ca you please explain?
Regards, Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide