Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn client on pix with downloadable access-list

Hello,

I'm configuring a pix in order to have a vpn access with extended authentification (RADIUS).

The vpn acces is ok for the inside LAN.

Now i would like to restriced access with access-list send by the RADIUS.

The RADIUS is configured with cisco-avpair.

When i connect to the vpn the access-list are seen on the pix but it seem they are not applied only a dynamic access-list is used.

ip local pool PoolGeneve 10.10.191.1-10.10.191.21

....

crypto ipsec transform-set SetVpnCli esp-des esp-md5-hmac

crypto dynamic-map DynMap 10 set transform-set SetVpnCli

crypto map MapOutside 65200 ipsec-isakmp dynamic DynMap

crypto map MapOutside client token authentication MyRadius

crypto map MapOutside interface outside

isakmp enable outside

isakmp key ******** address 6.1.2.3 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption 3des

isakmp policy 15 hash md5

isakmp policy 15 group 2

isakmp policy 15 lifetime 86400

isakmp policy 20 lifetime 86400

isakmp policy 25 authentication pre-share

isakmp policy 25 encryption 3des

isakmp policy 25 hash sha

isakmp policy 25 group 2

isakmp policy 25 lifetime 86400

vpngroup VpnClient address-pool IPPool

vpngroup VpnClient dns-server 10.x.x.101

vpngroup VpnClient wins-server 10.x.x.2

vpngroup VpnClient default-domain mytestdomain.com

vpngroup VpnClient idle-time 14400

vpngroup VpnClient password ********

Once the connection establish the access-list are:

..

access-list AAA-user-TestVPN; 2 elements ; access-list downloaded from RADIUS

access-list AAA-user-TestVPN line 1 permit ip host 10.9.2.1 10.0.0.0 255.0.0.0 (hitcnt=0)

access-list AAA-user-TestVPN line 2 deny tcp any any (hitcnt=0)

access-list dynacl1129; 1 elements ; dynamique access-list automaticly create

access-list dynacl1129 line 1 permit ip any host 10.10.19.13 (hitcnt=14)

...

Something wrong ?

Thanks for your help

1 REPLY
New Member

Re: vpn client on pix with downloadable access-list

I am having the same problems, as I am trying to manage user access to internal resources based on username from the ACS.

No method I have tried (download-able ACL, AV pair, RADIUS IETF-local ACL, etc.) has worked. All traffic seems to just bypass the ACLs in lieu of the dynamically created on that allows all traffic by default.

Has anyone successfully implemented RA user management on the PIX?

89
Views
0
Helpful
1
Replies