Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
0
Helpful
3
Replies

ACL-list syntax error in PIX after upgrade, need urgent help!

Go to solution
azore2007
Level 1
Level 1

‎08-01-2008 01:40 AM - edited ‎03-10-2019 04:00 PM

Hello everyone

We have a setup including Cisco ACS + a VPN 3005 Concentrator and a PIX 515E (7.2.4)

We upgraded the PIX version from 7.0 to 7.2.4 and suddenly our downloadable access-list was getting refused when users authenticated against the ACS.

When debuging radius in the PIX we found that entering this line in the downloadable access-list give error and stop the users of getting the ACL.

"deny ip any 192.168.0.0 0.0.255.255"

PIX refused to process their auth request when encountering this line.

Fine we said, we changed the ACL syntax to this : deny ip any 192.168.0.0 255.255.0.0

This made the PIX process the ACL.

We were happy for awhile until VPN users started to complain.

It seems that the VPN 3005 cant deal with the syntax we entered in the PIX!

The VPN 3005 doesnt seem to be able to handle the acl line "deny ip any 192.168.0.0 255.255.0.0" !

It can only handle "deny ip any 192.168.0.0 0.0.255.255" !

Which the PIX cant handle..

I'm a loss at what to do here..

We got VPN users who cant surf now with these ACL problems.

What can I do? Anyone else encountered this?

We upgraded the VPN 3005 to the lastest SW version

Really need some help here guys!

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to azore2007

‎08-03-2008 06:34 PM

I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a2.html#wp1622944

Please Rate if helpful.

Regards

Farrukh

View solution in original post

0 Helpful
3 Replies 3

Go to solution
azore2007
Level 1
Level 1

‎08-03-2008 12:44 AM

Well, Cisco changed the support for wildcard mask in the 7.0.4 release it seems, switching them into subnet mask instead..

Downgrading to 6.3 and then upgrading to 7.0.1 once again..

damn!

0 Helpful

Go to solution
Farrukh Haroon
VIP Alumni
VIP Alumni
In response to azore2007

‎08-03-2008 06:34 PM

I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a2.html#wp1622944

Please Rate if helpful.

Regards

Farrukh

0 Helpful

Go to solution
azore2007
Level 1
Level 1
In response to Farrukh Haroon

‎08-03-2008 06:51 PM

Thank you Farrukh

I wonder why the pix removed this when I did the 7.0.1->7.2.4 software upgrade?

Now I dont have to downgrade and re-upgrade again :)

Thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents