07-07-2014 09:27 AM - edited 03-10-2019 09:51 PM
Is it possible to have Ikev1 Site to Site VPN's with Cisco ASA 8.4(3) using external policies from an ACS 5.2?
I currently have many site to site VPN's with internal group policies and different set of firewalls with the same rules, so changing one st of firewalls forces me to change all the others making this a time consuming effort. so I wanted to see if all the sets could grab the same policy from the ACS as an external group policy.
I have done this with remote access VPN's, but never with site to site VPN's so i am not sure if this is possible.
Also if there is a guide to make this work would be awesome.
Thanks in advance.
07-10-2014 06:53 AM
Hi,
Yes then check the below guide which probably will help you.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_setup.html
07-15-2014 07:27 AM
Thanks a lot, I will read the document and try the configuration.
Quick question, we normally use a lot of object-groups in our configurations in the group-profiles.
Is it possible to use the same object-groups in the ACS? Via downloadable ACLs?
Or that is just not possible, and I will have to create individual access-list in the ACS to cover everything up? I'll go and read the document, as the answer might be in there but wanted to check in here as well
Thanks a lot for the help.
07-15-2014 08:18 AM
Daniel,
You may use this.
Object-group network ObjectGroup
Network-object <ip-address> <subnet-mask>
On the ACS server > go to Cisco AV pairs and define the ACL like this:
ip:inacl#=permit ip any object-group ObjectGroup
You may see the same attribute coming down to ASA in "debug radius"
Hope this helps.
Regards,
Jatin Katyal
**Do rate helpful posts**
07-15-2014 08:24 AM
Awesome, thanks a lot.
I guess then I can use service object-groups in the same way right?
object-group network ObjectGroup
network-object <ip-address> <subnet-mask>
object-group service ServiceOB
port eq 80
And have something like
ip:inacl#=permit ip any object-group ObjectGroup object-group ServiceOB
07-15-2014 08:52 AM
The correct format should be
ip:inacl#=permit tcp any object-group network ObjectGroup object-group service ServiceOB
Please test this and report back.
Regards,
Jatin Katyal
** Do rate helpful posts**
07-15-2014 11:06 AM
Have another question I am not finding in the documentation.
I have created an Authorization Profile in ACS 5.2
I have put the Radius Class attribute with the name of the external group policy.
Some of them group policies have 10 or more ACE in it, do I need to define every single cisco-av-pair with the corresponding ACE, Ii do see an option in the Authorization profile to put a downloadable ACL, not sure if this would work the same or I have to stick with the cisco AV-Pair instead.
Thanks again for all the help.
07-16-2014 05:28 PM
After some testing, this does not seem to be working as I expected.
I am able to authenticate against the ACS, shortly after looks like an ACL is generated by the ACS and pushed down to the ASA. Looks like the generated ACL is the username. Then a bunch of cisco av-pairs are pushed down.
User-Name=#ACSACL#-IP-TESTVPN-ACL-53c59c48
Class=CACS:fen-rad-01/133654809/294385
cisco-av-pair=ip:inacl#1=permit tcp host 192.168.151.10 eq 1433 host 10.1.1.1
But first, I am not able to locate that ACL anywhere in the ASA, and I am not sure where is this being applied.
What I am really looking with the group-policy is the vpn-filter capability which I found I can control with the Filter-ID in the ACS, if I put the ACL in the ASA at the filter-id then it gets pushed down succesfully.
So my question would be, is there a way to use a Downloadable ACL in the Filter-ID field with object-groups defined locally in the ASA? Or it is simply not possible. I saw there is a Dynamic type of Filter-Id but I was not able to grab anything meaningful there for this.
Thanks in advance
07-16-2014 08:44 PM
I think you need this:
In order to download a name for an access list that you have already created on the security appliance from the RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11):
filter-id=acl_name
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113449-asa-vpn-acs-00.html#new
Regards,
Jatin Katyal
**Do rate helpful posts**
07-17-2014 07:39 AM
Thanks for the answer Jatin.
But I believe I would need the ACL already created in the ASA. I can successfully do this, but what I am really trying to accomplish is apply the filter-id not with an already created ACL in the ASA, but a Dynamic ACL maybe hosted in the ACS as a Downloadable ACL.
I tried to find documentation about the Filter-ID ACL Dynamic, but I did not find anything, so I am not sure if this is possible.
Thanks a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide