ACL-list syntax error in PIX after upgrade, need urgent help!

Answered Question
Aug 1st, 2008
User Badges:

Hello everyone


We have a setup including Cisco ACS + a VPN 3005 Concentrator and a PIX 515E (7.2.4)


We upgraded the PIX version from 7.0 to 7.2.4 and suddenly our downloadable access-list was getting refused when users authenticated against the ACS.


When debuging radius in the PIX we found that entering this line in the downloadable access-list give error and stop the users of getting the ACL.


"deny ip any 192.168.0.0 0.0.255.255"


PIX refused to process their auth request when encountering this line.


Fine we said, we changed the ACL syntax to this : deny ip any 192.168.0.0 255.255.0.0


This made the PIX process the ACL.


We were happy for awhile until VPN users started to complain.


It seems that the VPN 3005 cant deal with the syntax we entered in the PIX!


The VPN 3005 doesnt seem to be able to handle the acl line "deny ip any 192.168.0.0 255.255.0.0" !


It can only handle "deny ip any 192.168.0.0 0.0.255.255" !


Which the PIX cant handle..


I'm a loss at what to do here..


We got VPN users who cant surf now with these ACL problems.


What can I do? Anyone else encountered this?


We upgraded the VPN 3005 to the lastest SW version


Really need some help here guys!


Thanks

Correct Answer by Farrukh Haroon about 8 years 9 months ago

I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).


http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a2.html#wp1622944


Please Rate if helpful.


Regards


Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
azore2007 Sun, 08/03/2008 - 00:44
User Badges:

Well, Cisco changed the support for wildcard mask in the 7.0.4 release it seems, switching them into subnet mask instead..


Downgrading to 6.3 and then upgrading to 7.0.1 once again..


damn!

Correct Answer
Farrukh Haroon Sun, 08/03/2008 - 18:34
User Badges:
  • Red, 2250 points or more

I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).


http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a2.html#wp1622944


Please Rate if helpful.


Regards


Farrukh

azore2007 Sun, 08/03/2008 - 18:51
User Badges:

Thank you Farrukh


I wonder why the pix removed this when I did the 7.0.1->7.2.4 software upgrade?


Now I dont have to downgrade and re-upgrade again :)


Thanks!

Actions

This Discussion