Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
671
Views
0
Helpful
7
Replies

Problems with ACLs and dynamic-map on a PIX

dcaldero
Level 1
Level 1

‎06-18-2004 11:05 AM

I have a PIX 6.3(1) configured to give access to remote VPN, all is working fine except when I attatch an ACL to the dynamic-map with the command:

crypto dynamic-map MAP-NAME 30 match address acl_name

Then the IKE Mode Config cannot assign the IP address to the remote VPN client.

Is there any issue I forgot?

Labels:
0 Helpful
7 Replies 7

ehirsel
Level 6
Level 6

‎06-18-2004 06:11 PM

The match address is not normally coded on a dynamic-map; instead an acl that is referred to in the " vpngroup split-tunnel access-list" command is coded; in cases where the remote client can connect direct to networks outside of the vpn or the acl is not needed at all - forcing all traffic from the client to flow to the pix.

What I think is happening is that the address assignment is generating a new ip address that does not match the dest. address in the acl that is referred to in the dynamic map.

Try removing this: crypto dynamic-map MAP-NAME 30 match address acl_name and make sure that you have this coded:

crypto map map-name client configuration address initiate

and maybe this too:

crypto map map-name client configuration address respond (if you allow clients to have their own address)

Also insure that if you have site-to-site vpn connection that terminate on the same interface in this statement: "crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name" the seq-num is numerically higher than the other ones so that the site vpn can proceed normally using the lower numbers (higher priority) and the remote access vpn

negotiations take place later using lower-prioritites so that there is no mixup as to what clients need to be given an ip address and require user authentication.

Let me know if you have any more questions.

0 Helpful

dcaldero
Level 1
Level 1
In response to ehirsel

‎06-21-2004 05:01 AM

Hi ehirsel,

thanks for your response.

As I posted, when I remove: crypto dynamic-map MAP-NAME 30 match address acl_name; all is working fine.

The reason of que dynamic-map access-list is to filter with more accuracy the accesses to the internal network from que outside VPNs.

As explained in the documentation, it is possible to attatch an acl to the dynamic-map, it should work!

I think there should be some bug in the OS.

--

dcaldero

0 Helpful

ehirsel
Level 6
Level 6
In response to dcaldero

‎06-22-2004 03:25 AM

When you state that you want to "filter with more accuracy the accesses to the internal network from que outside VPNs" - does that mean you want to restrict what the vpn users can do once they connect and authenticate? If that is your goal you may be better off by turning off the sysopt permit-ipsec and add acl entries with a source address of the vpn client pool (assigned by the pix) to the interface where the ipsec tunnel terminates. This will force the pix to re-examine the acl after ipsec processing to determine whether to forward the packet or not.

How is the acl refered to in the dynamic map coded? Can you post it here?

Thanks, Ed Hirsel

0 Helpful

dcaldero
Level 1
Level 1
In response to ehirsel

‎06-22-2004 04:09 AM

Ed,

thanks again for your response.

That's right: I want to restrict what users can do after they connect and authenticate.

I like your idea of turning off the permit sysopt permit-ipsec, is there any doc explaining what ports I shoud open i.e. 4500, 500, etc?

Thanks,

David

0 Helpful

n.oneill
Level 1
Level 1

‎08-06-2004 02:55 AM

Hi dcaldero

Just wondered if you resolved this as I have the same issue also?

My post:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd62630

Thanks

0 Helpful

dcaldero
Level 1
Level 1
In response to n.oneill

‎08-06-2004 04:17 PM

Hi n.oneill,

not resolved, sorry.

The point is that I want to restrict access to a inside host, but limiting access to a specific port (I feel that allowing access to "all ports" of the host is too insecure).

The access list in a dynamic map is not working, and looking at the logs I see that the problem is in que assignment of the IP address to the remote mobile user. (What Cisco calls "mode config").

All the examples and docs I have read, are not so specific at this point. I wonder if it's an operating system bug...

Anyway, I keep investigating. If you find any solution I will we glad to know about it. Thanks.

0 Helpful

n.oneill
Level 1
Level 1
In response to dcaldero

‎08-07-2004 12:46 AM

Hi dcaldero

Yes I will let you know if I resolve this.

Incidently cihan@cisco.com is the product specialist for PIX so I may try e-mailing him direct.

Regards

Nick

0 Helpful
Customers Also Viewed These Support Documents