Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Downloadable PIX ACL

Dear All:

I had ACS 3.0 it's for VPN client 3.5 authentication and authorization , i can authentication

successful,But i couldn't authorization for VPN client,When i setting "downloadable PIX ACL",

as bellow is my definition

permit tcp any host eq 23

permit tcp any host eq 80

I would to know that config is correct or other way that can restriction VPDN clinet

only access 23 and 80 port number on server


ip local pool ippool

access-list 100 permit ip

nat (inside) 0 access-list 100

aaa-server authme protocol tacacs+

aaa-server authme (inside) host cisco1234 timeout 10

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication authme

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local ippool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 33600

vpngroup vpn3000 address-pool ippool

vpngroup vpn3000 dns-server

vpngroup vpn3000 wins-server

vpngroup vpn3000 default-domain

vpngroup vpn3000 idle-time 1800

vpngroup vpn3000 password ********

Pls in advice

Cisco Employee

Re: Downloadable PIX ACL

There's a current bug (CSCdx47975) where downloadable ACL's do not work for VPN users, only for users doing passthru authentication. The workaround is to define the ACL on the PIX, then just pass down the ACL number (rather than the whole ACL) and that ACL will be assigned to that user.

There's a sample config here:

Basically do the following:

access-list 150 permit tcp any host eq 23

access-list 150 permit tcp any host eq 80

on the PIX, then on the ACS server just send down the ACL number 150 and that will be applied ot the VPN user.

CreatePlease login to create content