Problem with Downloadable ACLs on ACS 4.1(1) for Windows

Unanswered Question
Apr 9th, 2009

I'm currently able to logon to my internal network but not able to get my incoming ACS downloadable ACL working. Combination:

PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5.

This is my list:

permit ip host any (where any can be - 10)

deny ip any any

I'm still able to ping other machines in subnet 4 from source address

I've already checked this link:

but in my config there is no statement:

sysopt ipsec pl-compatible

The only system option that I use is:

sysopt connection permit-ipsec

Does anyone have an idea?

Regards, Peter

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Wed, 04/15/2009 - 05:08

The Downloadable IP Access Control List (ACL) feature found in Cisco Secure Access Control Server (CS ACS) for Windows versions 3.0 through 3.3.3 may allow an unauthorized user to gain network access through a Remote Access Server or Network Access Server (RAS/NAS).

This issue has been resolved in CS ACS Version 4.0.1 as well as PIX version 6.3(5), PIX/ASA 7.0(2), Cisco IOS® Software Version 12.3(8)T4 and VPN 3000 versions 4.0.5.B and 4.1.5.B If the ACS server is upgraded to software version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected.

pverstegen Fri, 04/17/2009 - 00:15


I don't understand your reaction as I'm currently running PIX605E 6.3(5) and ACS 4.1(1) Build 23 Patch 5.

Ca you please explain?

Regards, Peter


This Discussion