07-19-2007 02:15 AM - edited 02-20-2020 09:39 PM
i Lads,
Dont know if anyone has tried the below but here goes.
We have various remote access support staff who come in via vpn clients into our 6.3(3) firewall .They are given an ip address from the 192.168.255.0 network range. There are remote access policies in Microsoft IAS then that is pushing an access-list to the users allowing them only access to a a particular ip address. So once the condition of them being in a group in IAS is meet the polcy then pushes out an access-list in the format
of ip:access-list 120 permit tcp any host 1.1.1.1 eq 23.
This is detailed in this document
http://support.microsoft.com/kb/283829.
here is my question if anyone can answer.
1) Does the access list have to existon the firewall before hand
and
2) is the syntax above correct.
thanks in advance as I am really stumped on this .
07-19-2007 04:45 AM
Hi
I haven't done this with IAS but i have done it with Cisco Secure ACS. Based on that
1) No the access-list does not have to be on the firewall first.
What you will need to do if you are downloading ip access-lists to the firewall is add the per-user-override statement to the access-group command on your pix eg.
access-list acl_inbound in interface outside per-user-override
2) Not sure what you mean about syntax. Your access-list says all any host to telnet to host 1.1.1.1.
Is this what you intended ?
HTH
Jon
07-19-2007 06:54 AM
Thanks Jon,
1) thanks for clearing this point up.
2 ) There is an access-list on the outside interface ,where the vpn client terminates, Do I need to apply the per-user-override statement here ???
in relation to the syntax , I was wondering if the syntax needs to be different if MS is pushing to a cisco box , just a query really.
thanks again for your time Jon,
07-19-2007 06:59 AM
Hi
2) It depends. If the access-list you have already gives the right access for the VPN client then no you don't need to do anything.
If the access-list does not include the permissions for the VPN client you need to change this statement on your pix
access-group outside_in in interface outside
to
access-group outside_in in interface outside per-user-override.
If you don't then the downloaded acl will not be used.
Not sure about the syntax - looks okay to me but as i say haven't used IAS before.
HTH
Jon
07-19-2007 07:46 AM
Fair play Jon,
The access-list on the outside interface.
permit icmp any any
deny ip any any
so that needs to be modified then ,
thanks Jon
07-19-2007 07:55 AM
Hi
As i say you can either add to this access-list to allow VPN access or
leave the access-list as it is and just change the "access-group" entry as above.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: