Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN 3005 & Dynamic Flters

I would appreciate some help with configuring dynamic filters in ACS 3.1 for use with VPN 3005. I've read the documentation, but had no success. I want to configure the filters on a per user basis. So if there is anyone out there who has been successful, I would appreciate the tips.

Cisco Employee

Re: VPN 3005 & Dynamic Flters

Not sure if you've read this or not:

Should help you out. If this is the "documentation" you mentioned that you've already read and it still doesn't work, please send us some details about the filters you defined on the 30xx, and the Radius user setup. If you can add the AUTH/AUTHDBG Event Classes at Severity to Log of 1-13 on the concentrator and then send us that info that would be great too.

New Member

Re: VPN 3005 & Dynamic Flters

I didnt't define filter on the VPN 3005. I understood that I could define the filters on the ACS 3.1, individual user accounts. Is this where I'm making my mistake? TIA for your help.

Cisco Employee

Re: VPN 3005 & Dynamic Flters

If you want to define the entire filter on the ACS server (which is more scalable), you have to be running VPN Concentrator code 4.x, it won't work in 3.x.

On ACS you can define the filters in two ways, either as a "Downloadable PIX ACL (which I think changed to just "Downloadable ACL" in ACS v3.2), or as a Cisco AV pair specifically.

Downloadable PIX ACL


In ACS < v3.1 define the VPN3000 NAS as a PIX, ACS >= v3.1 define it as a VPN3000. Under Shared Profile Components - Downloadable ACL, add a new ACL and it'll have the form:

permit ip any host

permit tcp any host eq 80

permit icmp any any

There's an implicit "deny everything" at the end of this, but this'll allow all access to and web access to and all pings, nothing else. The source is always "any", but when it gets applied it's implied that the source is the VPN client.

Assign this downloadable ACL to the user/group within ACS and you should be good to go.

Cisco AV pair


In all ACS versions define the VPN3000 NAS as an IOS router, otherwise you won't see this option.

Under the group/user setup in ACS, go to the Cisco IOS/PIX RADIUS attributes section (this appears because you've defined the NAS as an IOS router, even though it's actually a VPN3000). Check the box to return the attribute, and in the bigger box define the ACL as follows:

ip:inacl#1=permit ip any host

ip:inacl#2=permit tcp any host eq 80

ip:inacl#3=permit icmp any any

Again there's an implicit "deny all" at the end, and this'll set up the same permissions as the Downloadable ACL above.

That should be all you need. See for config details.

New Member

Re: VPN 3005 & Dynamic Flters

Sorry for intruding but I also am trying to get the dynamic filtering to work using a radius server. The problem is, it is not Cisco Secure but another vendor. I was wondering if anybody who has made this work, cut an example of what it looks like inside the Radius users file and post it. This, I am sure, would solve my problem. Thanx in advance.

CreatePlease to create content