Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL-list syntax error in PIX after upgrade, need urgent help!

Hello everyone

We have a setup including Cisco ACS + a VPN 3005 Concentrator and a PIX 515E (7.2.4)

We upgraded the PIX version from 7.0 to 7.2.4 and suddenly our downloadable access-list was getting refused when users authenticated against the ACS.

When debuging radius in the PIX we found that entering this line in the downloadable access-list give error and stop the users of getting the ACL.

"deny ip any 192.168.0.0 0.0.255.255"

PIX refused to process their auth request when encountering this line.

Fine we said, we changed the ACL syntax to this : deny ip any 192.168.0.0 255.255.0.0

This made the PIX process the ACL.

We were happy for awhile until VPN users started to complain.

It seems that the VPN 3005 cant deal with the syntax we entered in the PIX!

The VPN 3005 doesnt seem to be able to handle the acl line "deny ip any 192.168.0.0 255.255.0.0" !

It can only handle "deny ip any 192.168.0.0 0.0.255.255" !

Which the PIX cant handle..

I'm a loss at what to do here..

We got VPN users who cant surf now with these ACL problems.

What can I do? Anyone else encountered this?

We upgraded the VPN 3005 to the lastest SW version

Really need some help here guys!

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ACL-list syntax error in PIX after upgrade, need urgent help

I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a2.html#wp1622944

Please Rate if helpful.

Regards

Farrukh

3 REPLIES
New Member

Re: ACL-list syntax error in PIX after upgrade, need urgent help

Well, Cisco changed the support for wildcard mask in the 7.0.4 release it seems, switching them into subnet mask instead..

Downgrading to 6.3 and then upgrading to 7.0.1 once again..

damn!

Re: ACL-list syntax error in PIX after upgrade, need urgent help

I don't think Cisco ever changed anything on the PIX. It uses subnet masks from day one AFAIK and VPN Conc uses wildcard masks like IOS. You can use the acl-netmask-convert command on the ASA to fix this issue. This way you define a willdcard ACL on the ACS/AAA server and then use this command on the ASA to use the same downloadable ACL for both devices (PIX,VPNC).

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a2.html#wp1622944

Please Rate if helpful.

Regards

Farrukh

New Member

Re: ACL-list syntax error in PIX after upgrade, need urgent help

Thank you Farrukh

I wonder why the pix removed this when I did the 7.0.1->7.2.4 software upgrade?

Now I dont have to downgrade and re-upgrade again :)

Thanks!

172
Views
0
Helpful
3
Replies