Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IAS handing out access-list

i Lads,

Dont know if anyone has tried the below but here goes.

We have various remote access support staff who come in via vpn clients into our 6.3(3) firewall .They are given an ip address from the 192.168.255.0 network range. There are remote access policies in Microsoft IAS then that is pushing an access-list to the users allowing them only access to a a particular ip address. So once the condition of them being in a group in IAS is meet the polcy then pushes out an access-list in the format

of ip:access-list 120 permit tcp any host 1.1.1.1 eq 23.

This is detailed in this document

http://support.microsoft.com/kb/283829.

here is my question if anyone can answer.

1) Does the access list have to existon the firewall before hand

and

2) is the syntax above correct.

thanks in advance as I am really stumped on this .

5 REPLIES
Hall of Fame Super Blue

Re: IAS handing out access-list

Hi

I haven't done this with IAS but i have done it with Cisco Secure ACS. Based on that

1) No the access-list does not have to be on the firewall first.

What you will need to do if you are downloading ip access-lists to the firewall is add the per-user-override statement to the access-group command on your pix eg.

access-list acl_inbound in interface outside per-user-override

2) Not sure what you mean about syntax. Your access-list says all any host to telnet to host 1.1.1.1.

Is this what you intended ?

HTH

Jon

Community Member

Re: IAS handing out access-list

Thanks Jon,

1) thanks for clearing this point up.

2 ) There is an access-list on the outside interface ,where the vpn client terminates, Do I need to apply the per-user-override statement here ???

in relation to the syntax , I was wondering if the syntax needs to be different if MS is pushing to a cisco box , just a query really.

thanks again for your time Jon,

Hall of Fame Super Blue

Re: IAS handing out access-list

Hi

2) It depends. If the access-list you have already gives the right access for the VPN client then no you don't need to do anything.

If the access-list does not include the permissions for the VPN client you need to change this statement on your pix

access-group outside_in in interface outside

to

access-group outside_in in interface outside per-user-override.

If you don't then the downloaded acl will not be used.

Not sure about the syntax - looks okay to me but as i say haven't used IAS before.

HTH

Jon

Community Member

Re: IAS handing out access-list

Fair play Jon,

The access-list on the outside interface.

permit icmp any any

deny ip any any

so that needs to be modified then ,

thanks Jon

Hall of Fame Super Blue

Re: IAS handing out access-list

Hi

As i say you can either add to this access-list to allow VPN access or

leave the access-list as it is and just change the "access-group" entry as above.

Jon

161
Views
0
Helpful
5
Replies
CreatePlease to create content