Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Downloadable PIX ACL

Dear All:

I had ACS 3.0 it's for VPN client 3.5 authentication and authorization , i can authentication

successful,But i couldn't authorization for VPN client,When i setting "downloadable PIX ACL",

as bellow is my definition

permit tcp any host 192.168.53.201 eq 23

permit tcp any host 192.168.53.201 eq 80

I would to know that config is correct or other way that can restriction VPDN clinet

only access 23 and 80 port number on 192.168.53.201 server

[PIX-Config]

ip local pool ippool 10.10.10.1-10.10.11.254

access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.10.0 255.255.255.0

nat (inside) 0 access-list 100

aaa-server authme protocol tacacs+

aaa-server authme (inside) host 192.168.53.100 cisco1234 timeout 10

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication authme

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local ippool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 33600

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server 192.168.50.100

vpngroup vpn3000 wins-server 192.168.50.200

vpngroup vpn3000 default-domain abcd.com

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Pls in advice

1 REPLY
Cisco Employee

Re: Downloadable PIX ACL

There's a current bug (CSCdx47975) where downloadable ACL's do not work for VPN users, only for users doing passthru authentication. The workaround is to define the ACL on the PIX, then just pass down the ACL number (rather than the whole ACL) and that ACL will be assigned to that user.

There's a sample config here:

http://www.cisco.com/warp/public/110/pixcryaaa52.shtml

Basically do the following:

access-list 150 permit tcp any host 192.168.53.201 eq 23

access-list 150 permit tcp any host 192.168.53.201 eq 80

on the PIX, then on the ACS server just send down the ACL number 150 and that will be applied ot the VPN user.

112
Views
0
Helpful
1
Replies
CreatePlease login to create content