Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
5
Replies

IAS handing out access-list

kcornally
Level 1
Level 1

‎07-19-2007 02:15 AM - edited ‎02-20-2020 09:39 PM

i Lads,

Dont know if anyone has tried the below but here goes.

We have various remote access support staff who come in via vpn clients into our 6.3(3) firewall .They are given an ip address from the 192.168.255.0 network range. There are remote access policies in Microsoft IAS then that is pushing an access-list to the users allowing them only access to a a particular ip address. So once the condition of them being in a group in IAS is meet the polcy then pushes out an access-list in the format

of ip:access-list 120 permit tcp any host 1.1.1.1 eq 23.

This is detailed in this document

http://support.microsoft.com/kb/283829.

here is my question if anyone can answer.

1) Does the access list have to existon the firewall before hand

and

2) is the syntax above correct.

thanks in advance as I am really stumped on this .

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎07-19-2007 04:45 AM

Hi

I haven't done this with IAS but i have done it with Cisco Secure ACS. Based on that

1) No the access-list does not have to be on the firewall first.

What you will need to do if you are downloading ip access-lists to the firewall is add the per-user-override statement to the access-group command on your pix eg.

access-list acl_inbound in interface outside per-user-override

2) Not sure what you mean about syntax. Your access-list says all any host to telnet to host 1.1.1.1.

Is this what you intended ?

HTH

Jon

0 Helpful

kcornally
Level 1
Level 1
In response to Jon Marshall

‎07-19-2007 06:54 AM

Thanks Jon,

1) thanks for clearing this point up.

2 ) There is an access-list on the outside interface ,where the vpn client terminates, Do I need to apply the per-user-override statement here ???

in relation to the syntax , I was wondering if the syntax needs to be different if MS is pushing to a cisco box , just a query really.

thanks again for your time Jon,

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to kcornally

‎07-19-2007 06:59 AM

Hi

2) It depends. If the access-list you have already gives the right access for the VPN client then no you don't need to do anything.

If the access-list does not include the permissions for the VPN client you need to change this statement on your pix

access-group outside_in in interface outside

to

access-group outside_in in interface outside per-user-override.

If you don't then the downloaded acl will not be used.

Not sure about the syntax - looks okay to me but as i say haven't used IAS before.

HTH

Jon

0 Helpful

kcornally
Level 1
Level 1
In response to Jon Marshall

‎07-19-2007 07:46 AM

Fair play Jon,

The access-list on the outside interface.

permit icmp any any

deny ip any any

so that needs to be modified then ,

thanks Jon

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to kcornally

‎07-19-2007 07:55 AM

Hi

As i say you can either add to this access-list to allow VPN access or

leave the access-list as it is and just change the "access-group" entry as above.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents