IAS handing out access-list

Unanswered Question
Jul 19th, 2007

i Lads,

Dont know if anyone has tried the below but here goes.

We have various remote access support staff who come in via vpn clients into our 6.3(3) firewall .They are given an ip address from the network range. There are remote access policies in Microsoft IAS then that is pushing an access-list to the users allowing them only access to a a particular ip address. So once the condition of them being in a group in IAS is meet the polcy then pushes out an access-list in the format

of ip:access-list 120 permit tcp any host eq 23.

This is detailed in this document


here is my question if anyone can answer.

1) Does the access list have to existon the firewall before hand


2) is the syntax above correct.

thanks in advance as I am really stumped on this .

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 07/19/2007 - 04:45


I haven't done this with IAS but i have done it with Cisco Secure ACS. Based on that

1) No the access-list does not have to be on the firewall first.

What you will need to do if you are downloading ip access-lists to the firewall is add the per-user-override statement to the access-group command on your pix eg.

access-list acl_inbound in interface outside per-user-override

2) Not sure what you mean about syntax. Your access-list says all any host to telnet to host

Is this what you intended ?



kcornally Thu, 07/19/2007 - 06:54

Thanks Jon,

1) thanks for clearing this point up.

2 ) There is an access-list on the outside interface ,where the vpn client terminates, Do I need to apply the per-user-override statement here ???

in relation to the syntax , I was wondering if the syntax needs to be different if MS is pushing to a cisco box , just a query really.

thanks again for your time Jon,

Jon Marshall Thu, 07/19/2007 - 06:59


2) It depends. If the access-list you have already gives the right access for the VPN client then no you don't need to do anything.

If the access-list does not include the permissions for the VPN client you need to change this statement on your pix

access-group outside_in in interface outside


access-group outside_in in interface outside per-user-override.

If you don't then the downloaded acl will not be used.

Not sure about the syntax - looks okay to me but as i say haven't used IAS before.



kcornally Thu, 07/19/2007 - 07:46

Fair play Jon,

The access-list on the outside interface.

permit icmp any any

deny ip any any

so that needs to be modified then ,

thanks Jon

Jon Marshall Thu, 07/19/2007 - 07:55


As i say you can either add to this access-list to allow VPN access or

leave the access-list as it is and just change the "access-group" entry as above.



This Discussion