Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
0
Helpful
1
Replies

Downloadable PIX ACL

emily
Level 1
Level 1

‎07-16-2002 06:25 AM - edited ‎02-20-2020 10:09 PM

Dear All:

I had ACS 3.0 it's for VPN client 3.5 authentication and authorization , i can authentication

successful,But i couldn't authorization for VPN client,When i setting "downloadable PIX ACL",

as bellow is my definition

permit tcp any host 192.168.53.201 eq 23

permit tcp any host 192.168.53.201 eq 80

I would to know that config is correct or other way that can restriction VPDN clinet

only access 23 and 80 port number on 192.168.53.201 server

[PIX-Config]

ip local pool ippool 10.10.10.1-10.10.11.254

access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list 100

aaa-server authme protocol tacacs+

aaa-server authme (inside) host 192.168.53.100 cisco1234 timeout 10

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication authme

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local ippool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 33600

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server 192.168.50.100

vpngroup vpn3000 wins-server 192.168.50.200

vpngroup vpn3000 default-domain abcd.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Pls in advice

0 Helpful
1 Reply 1

gfullage
Cisco Employee
Cisco Employee

‎07-16-2002 05:09 PM

There's a current bug (CSCdx47975) where downloadable ACL's do not work for VPN users, only for users doing passthru authentication. The workaround is to define the ACL on the PIX, then just pass down the ACL number (rather than the whole ACL) and that ACL will be assigned to that user.

There's a sample config here:

http://www.cisco.com/warp/public/110/pixcryaaa52.shtml

Basically do the following:

access-list 150 permit tcp any host 192.168.53.201 eq 23

access-list 150 permit tcp any host 192.168.53.201 eq 80

on the PIX, then on the ACS server just send down the ACL number 150 and that will be applied ot the VPN user.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card