01-31-2010 03:10 AM - edited 03-10-2019 04:55 PM
Hi
On ACS v4.2 how can I restrict a user from accessing resources on a network.
user is locally created on ACS Database
Condition : Allow user "Y" to access only SAP Server - 192.168.1.25 (all ports)
Condition : Allow user "Y" to access IntraPort Server - 192.168.1.22 ( port 80 only )
plz help with steps
01-31-2010 06:10 AM
Using a downloadable ACL and a device that supports it.
Examples of Cisco devices that support downloadable IP ACLs are PIX firewalls and VPN 3000-series concentrators.
You can create downloadable IP ACLs on the Downloadable IP ACLs page in the Shared Profile Components section.
Regards.
Andrea
02-01-2010 12:49 AM
Thank you Andrea
I did Downloadable ACL but doesnt work, worried with syntax
Test#1 not working
permit ip host x.x.x.x any
deny ip any any
Test#2 not working
permit ip host x.x.x.x 255.255.255.255 any
02-01-2010 01:44 AM
There is a per-user option on device configuration?
hostname(config)#access-group access_list_name {in | out} interface interface_name
[per-user-override]
Please, verify!
Here, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml, you can find an example.
From ACS 4.2 online documentation...
Examples of Cisco devices that support downloadable IP ACLs are:
•PIX Firewalls
•VPN 3000-series concentrators, ASA and PIX devices
•Cisco devices running IOS version 12.3(8)T or greater
Example 1 shows the format that you should use to enter PIX Firewall ACLs in the ACL Definitions box.
Example 1
permit tcp any host 10.0.0.254
permit udp any host 10.0.0.254
permit icmp any host 10.0.0.254
permit tcp any host 10.0.0.253
Example 2 shows the format that you should use to enter VPN 3000/ASA/PIX 7.x+ ACLs in the ACL Definitions box.
Example 2
permit ip 10.153.0.0 0.0.255.255 host 10.158.9.1
permit ip 10.154.0.0 0.0.255.255 10.158.10.0 0.0.0.255
permit 0 any host 10.159.1.22
deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log
permit TCP any host 10.160.0.1 eq 80 log
permit TCP any host 10.160.0.2 eq 23 log
permit TCP any host 10.160.0.3 range 20 30
permit 6 any host HOSTNAME1
permit UDP any host HOSTNAME2 neq 53
deny 17 any host HOSTNAME3 lt 137 log
deny 17 any host HOSTNAME4 gt 138
deny ICMP any 10.161.0.0 0.0.255.255 log
permit TCP any host HOSTNAME5 neq 80
For detailed ACL definition information, see the command reference section of your device configuration guide.
Regards.
Andrea
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide