Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX AAA and Steel Belted Radius problem


I have a PIX 515 running PIX IOS 6.2.1 and a Steel Belted radius server. I want to restrict acces from VPN clients (using Cisco VPN client 3.1) to the internal network. For that I configured the users in Steel Belted with a profile stating 'acl=acl-vpn'. On the PIX I created the following access-list:

access-list acl-vpn permit tcp host eq 23

I thought that the vpn-clients (using addesses in the range would only have telnet access to host but they can reach all the machines in the segment on all ports. When I do an 'sh uauth' it shows the logged on user and 'access-list acl-vpn' so the access-list is applied but not enforced.

What am I doing wrong? Is that what I want possible at all?

Thanx, Frank

Community Member

Re: PIX AAA and Steel Belted Radius problem

change acl-vpn to deny tcp eq 23, then deny tcp eq 23, then deny tcp any any, then have a client connect, then check the log and "show access-list acl-vpn" to see which line is doing the denying. you may find the addresses in your permit statement need to be reversed.

CreatePlease to create content