Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IOS Router + VPN + ACS + Downloadable IP Acls

I want to use the Feature "Downloadable IP Acls" on a 3825 VPN-router (IOS 12.4T) in combination with an ACS.

In many documents and discussions I read that it is possible to use dACLs on "Cisco devices running IOS version 12.3(8)T or greater".

The authentication and authorization by the ACS is working and the device gets some parameters by the av-pair-feature.

I tried several things to apply the dACLs like using av-pairs or the ACS-feature "Downloadable IP ACLs", but nothing works.

In the debug log I see that the av-pair is handed to the device, but it is not used.

--> Can you tell me, if it is possible to use dACLs on IOS routers?

--> How does it work? What can I change?

--> Is there a good manual to implement it?

Thanks for your help!

Martin

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IOS Router + VPN + ACS + Downloadable IP Acls

It would help if we know the GOAL of what you're trying to do ...

AFAIR in mode config client does not request ACLs for filtering short of split tunnel ACLs ... and I don't have means to test right now.

If you wish to allow or not certain clients access to certain subnets why not investigate split-tunneling ACLs and vpn-filter in combination with ACS rather then going for dACL.

9 REPLIES
Community Member

Re: IOS Router + VPN + ACS + Downloadable IP Acls

I have the same problem,  please help!!!

Community Member

Re: IOS Router + VPN + ACS + Downloadable IP Acls

I too posted a new question with exactly the same issue.

Cisco Employee

Re: IOS Router + VPN + ACS + Downloadable IP Acls

Easiest way to implement downloadbale ACLs is via VPN + auth-proxy (on router) or cut-through proxy (ASA/PIX/FWSM).

What are other requirements you might have for this setup?

Community Member

Re: IOS Router + VPN + ACS + Downloadable IP Acls

I think the auth-proxy feature is not the right think for me, because I dont want to use a kind of browser authentication. But thanks for your suggestion. Better than nothing ;-)

I am a step further now.

I set up a test szenario with GNS and VMware on my notebook and tested the DACL-feature there. After an hour of implementation it works now. There is no difference to my real configuration. The groups on the ACS servers are also equal.

In the virtualization in GNS I use an 3725 and in real environment there is an 3825 instead. The IOS-versions are the same. The 3725 works correct, the ACLs are downloaded and are working. The 3825 downloads the ACLs but there are not working. Perhaps there are not applied.

Are there any solution thoughts??

Cisco Employee

Re: IOS Router + VPN + ACS + Downloadable IP Acls

It would help if we know the GOAL of what you're trying to do ...

AFAIR in mode config client does not request ACLs for filtering short of split tunnel ACLs ... and I don't have means to test right now.

If you wish to allow or not certain clients access to certain subnets why not investigate split-tunneling ACLs and vpn-filter in combination with ACS rather then going for dACL.

Community Member

Re: IOS Router + VPN + ACS + Downloadable IP Acls

Thanks for your help.

Your hints were very helpful. As I mentioned before I solved the problems with av-pairs and command "ipsec:inacl=". I think you mean that with split-tunneling ACLs.

Problem is solved!!!

Community Member

Re: IOS Router + VPN + ACS + Downloadable IP Acls

Hi martinwicher,

Can you give a little more info on how you solved your problem plz?

Community Member

Re: IOS Router + VPN + ACS + Downloadable IP Acls

Hello Dear Martin

I exactly have the same problem, please tell me how i can solve my problem. i realy can't find any documnets about it.

any help would be appreciate

Cisco Employee

Re: IOS Router + VPN + ACS + Downloadable IP Acls

Amir,

What is exactly failing in your case and where and what have you configured + how have you been debugging so far?

ipsec:inacl is the way to download ACLs in case of IPsec.

Marcin

1534
Views
0
Helpful
9
Replies
CreatePlease to create content