Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1713
Views
0
Helpful
0
Comments

Downloadable ACLs configured on the Cisco Secure ACS version 4.0 for Windows are unable to restrict access for Cisco VPN Clients that terminate on the PIX Firewall

TCC_2
Level 10
Level 10

on ‎06-22-2009 05:01 PM

Core issue

There might be many reasons if downloadable ACLs are not pushed or are unable to restrict access for VPN Clients. But , one of the common reasons is if the sysopt ipsec pl-compatible command is configured on the PIX Firewall.

In such a case, you are unable to restrict a group of Cisco VPN Clients to only have access to a limited number of IP addresses on the inside network that uses downloadable access control lists (ACLs) from the Cisco Secure Access Control Server (ACS).

Resolution

In order to resolve this issue, remove the sysopt ipsec pl-compatible command from the configuration if configured.


The sysopt ipsec pl-compatible command enables IPsec packets to bypass the PIX Firewall unit Network Address Translation (NAT) and Adaptive Security Appliance (ASA) features and allows incoming IPsec packets to terminate on the inside interface.
Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents