Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
3
Replies

Server Access Restriction

saquib.tandel
Level 1
Level 1

‎01-31-2010 03:10 AM - edited ‎03-10-2019 04:55 PM

Hi

On ACS v4.2 how can I restrict a user from accessing resources on a network.

user is locally created on ACS Database

Condition : Allow user "Y" to access only SAP Server - 192.168.1.25  (all ports)

Condition : Allow user "Y" to access IntraPort Server - 192.168.1.22 ( port 80 only )

plz help with steps

Labels:
0 Helpful
3 Replies 3

andrea.meconi
Level 2
Level 2

‎01-31-2010 06:10 AM

Using a downloadable ACL and a device that supports it.

Examples of Cisco devices that support downloadable IP ACLs are PIX firewalls and VPN 3000-series concentrators.

You can create downloadable IP ACLs on the Downloadable IP ACLs page in the Shared Profile Components section.

Regards.

Andrea

0 Helpful

saquib.tandel
Level 1
Level 1
In response to andrea.meconi

‎02-01-2010 12:49 AM

Thank you Andrea

I did Downloadable ACL but doesnt work, worried with syntax

Test#1 not working

permit ip host x.x.x.x any

deny ip any any

Test#2 not working

permit ip host x.x.x.x 255.255.255.255 any

0 Helpful

andrea.meconi
Level 2
Level 2
In response to saquib.tandel

‎02-01-2010 01:44 AM

There is a per-user option on device configuration?

hostname(config)#access-group access_list_name {in | out} interface interface_name 
[per-user-override]

Please, verify!

Here, http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml, you can find an example.

From ACS 4.2 online documentation...

Examples of Cisco devices that support downloadable IP ACLs are:

•PIX Firewalls
•VPN 3000-series concentrators, ASA and PIX devices
•Cisco devices running IOS version 12.3(8)T or greater
Example 1 shows the format that you should use to enter PIX Firewall ACLs in the ACL Definitions box.

Example 1

permit tcp any host 10.0.0.254
permit udp any host 10.0.0.254
permit icmp any host 10.0.0.254
permit tcp any host 10.0.0.253

Example 2 shows the format that you should use to enter VPN 3000/ASA/PIX 7.x+ ACLs in the ACL Definitions box.

Example 2

permit ip 10.153.0.0 0.0.255.255 host 10.158.9.1
permit ip 10.154.0.0 0.0.255.255 10.158.10.0 0.0.0.255
permit 0 any host 10.159.1.22
deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log
permit TCP any host 10.160.0.1 eq 80 log
permit TCP any host 10.160.0.2 eq 23 log
permit TCP any host 10.160.0.3 range 20 30
permit 6 any host HOSTNAME1
permit UDP any host HOSTNAME2 neq 53
deny 17 any host HOSTNAME3 lt 137 log
deny 17 any host HOSTNAME4 gt 138
deny ICMP any 10.161.0.0 0.0.255.255 log
permit TCP any host HOSTNAME5 neq 80

For detailed ACL definition information, see the command reference section of your device configuration guide.

Regards.

Andrea

0 Helpful
Customers Also Viewed These Support Documents