Problem with Downloadable ACLs on ACS 4.1(1) for Windows

pverstegen · ‎04-09-2009

I'm currently able to logon to my internal network 192.168.4.0/24 but not able to get my incoming ACS downloadable ACL working. Combination:

PIX605E 6.3(5) - ACS 4.1(1) Build 23 Patch 5.

This is my list:

permit ip host 192.168.4.200 any (where any can be 192.168.5.1 - 10)

deny ip any any

I'm still able to ping other machines in subnet 4 from source address 192.168.5.1

I've already checked this link:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&type=Subscriptions&loc=.2cd2949c/4&forum=Security&topic=Firewalling

but in my config there is no statement:

sysopt ipsec pl-compatible

The only system option that I use is:

sysopt connection permit-ipsec

Does anyone have an idea?

Regards, Peter

Report Inappropriate Content · ‎04-15-2009

The Downloadable IP Access Control List (ACL) feature found in Cisco Secure Access Control Server (CS ACS) for Windows versions 3.0 through 3.3.3 may allow an unauthorized user to gain network access through a Remote Access Server or Network Access Server (RAS/NAS).

This issue has been resolved in CS ACS Version 4.0.1 as well as PIX version 6.3(5), PIX/ASA 7.0(2), Cisco IOSÂ® Software Version 12.3(8)T4 and VPN 3000 versions 4.0.5.B and 4.1.5.B If the ACS server is upgraded to software version 4.0.1 or later before the RAS/NAS devices are upgraded, all Downloadable IP ACL requests will be declined. However, no harm will result to Downloadable IP ACL functionality if the RAS/NAS devices are upgraded to the new software before the ACS server software is upgraded. In either case, normal RADIUS user authentication will not be affected.

pverstegen · ‎04-17-2009

Hi,

I don't understand your reaction as I'm currently running PIX605E 6.3(5) and ACS 4.1(1) Build 23 Patch 5.

Ca you please explain?

Regards, Peter