ACS Help

Unanswered Question
Nov 8th, 2007
User Badges:


We have ASA 5520 and ACS 3.3

We would like to have Remote-Acess authentication through ACS Database and would like to restrict remote user group with access to specific server or network....

Kindly advice with steps.....


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


You can configure the PIX Firewall with a ACS server for VPN Clients.

Configure the primary ACS server with the host name and key.

Bind the authentication server with crypto map.

Use these commands in order to complete the configuration:

aaa-server ACS-RADIUS (inside) host X.X.X.X (key) timeout 5

crypto map vpnmap client authentication ACS-RADIUS LOCAL

Note: Within the crypto map, you can only enter one external authentication server group. The failover or backup authentication method can only be set to LOCAL. If there second server in the list it is only queried if the primary server is unresponsive. If the primary server is queried and issues a failed response, then the secondary server is not queried.

Please rate if this helps.

Regards MJ

Amin Shaikh Fri, 11/09/2007 - 21:33
User Badges:


How would I restrict the user from acccessing specific resourses on the network ( Ex : allow only specific server or specific network )

Which option on ACS does this... please help with steps..


I would Remove the sysopt connection permit-ipsec command from the PIX Firewall configuration. Add statements to the ACL applied to the outside interface permitting Encapsulating Security Payload (ESP), UDP 500, and the traffic from the VPN pool to the specific server. You will then be able to control access to the server.

Regards MJ

Amin Shaikh Mon, 11/12/2007 - 05:27
User Badges:


I have site to site VPN and Remote-Access on the ASA.

We want to create users on ACS and restrict them throug ACS for server or network access.

Plz help on these request.


This Discussion