We have a setup including Cisco ACS + a VPN 3005 Concentrator and a PIX 515E (7.2.4)
We upgraded the PIX version from 7.0 to 7.2.4 and suddenly our downloadable access-list was getting refused when users authenticated against the ACS.
When debuging radius in the PIX we found that entering this line in the downloadable access-list give error and stop the users of getting the ACL.
"deny ip any 192.168.0.0 0.0.255.255"
PIX refused to process their auth request when encountering this line.
Fine we said, we changed the ACL syntax to this : deny ip any 192.168.0.0 255.255.0.0
This made the PIX process the ACL.
We were happy for awhile until VPN users started to complain.
It seems that the VPN 3005 cant deal with the syntax we entered in the PIX!
The VPN 3005 doesnt seem to be able to handle the acl line "deny ip any 192.168.0.0 255.255.0.0" !
It can only handle "deny ip any 192.168.0.0 0.0.255.255" !
Which the PIX cant handle..
I'm a loss at what to do here..
We got VPN users who cant surf now with these ACL problems.
What can I do? Anyone else encountered this?
We upgraded the VPN 3005 to the lastest SW version
Really need some help here guys!
I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).
Please Rate if helpful.