Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cisco acs 3.3 and remote client address problem

I have created a test network which includes a remote access client authenticating against a

cisco acs server (version 3.3) what i am trying to achieve is to configure the user account

to get its ip address assigned from an ip address pool located on the AAA client (see attached file)

i have configured the AAA client (pix 515 ios 7.0) like this

access-list 101 permit ip 192.168.5.0 255.255.255.0 10.0.20.0 255.255.255.0

nat (inside) 0 access-list 101

ip local pool MYPOOL 10.0.20.1-10.0.20.100 mask 255.255.255.0

aaa-server MYTACACS protocol tacacs+

aaa-server MYTACACS (inside) host 192.168.5.2

timeout 5

key secretkey

aaa authentication include tcp/0 outside 0 0 0 0 MYTACACS

sysopt connection permit-ipsec

crypto ipsec transform-set crypto1 esp-3des esp-md5-hmac

crypto dynamic-map dynomap 20 set transform-set crypto1

crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap

crypto map vpnpeer interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

group-policy training internal

group-policy training attributes

default-domain value acme.com

dns-server value 192.168.5.2

tunnel-group training type ipsec-ra

tunnel-group training general-attributes

default-group-policy training

authentication-server-group MYTACACS

tunnel-group training ipsec-attributes

pre-shared-key training

the remote access client can connect to the pix which asks for a username/password,when i supply it

it states the security policies are being negotiated and then the connection is dropped

if i setup the pix like this without stating an address pool during the user account setup it works

fine

access-list 101 permit ip 192.168.5.0 255.255.255.0 10.0.20.0 255.255.255.0

nat (inside) 0 access-list 101

ip local pool MYPOOL 10.0.20.1-10.0.20.100 mask 255.255.255.0

aaa-server MYTACACS protocol tacacs+

aaa-server MYTACACS (inside) host 192.168.5.2

timeout 5

key secretkey

aaa authentication include tcp/0 outside 0 0 0 0 MYTACACS

sysopt connection permit-ipsec

crypto ipsec transform-set crypto1 esp-3des esp-md5-hmac

crypto dynamic-map dynomap 20 set transform-set crypto1

crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap

crypto map vpnpeer interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

group-policy training internal

group-policy training attributes

default-domain value acme.com

dns-server value 192.168.5.2

tunnel-group training type ipsec-ra

tunnel-group training general-attributes

default-group-policy training

authentication-server-group MYTACACS

address-pool MYPOOL

tunnel-group training ipsec-attributes

pre-shared-key training

can anybody see anything wrong with the configuration at the top as i have no idea why it does not work

regards

Melvyn Brown

128
Views
0
Helpful
0
Replies
CreatePlease to create content