CCIE - Internetwork Expert's Online Community

 Dear Expert Community,

I am trying out a simple scenario on my home LAB, A downloadable ACL using RADIUS from the ACS Server. The configuration I apply seems to work without any issues but it does produce an error when I telnet to the virtual Telnet IP.

 Error: acl authorization denied

However the acl gets downloaded from the acs server and it works fine and traffic hits the acl. Please guide me what the problem is in my configuration given below. What lines do I Need to add ?

If this error was produced in the lab but the solution is working will I get points for it?

aaa-server RADIUS_AUTH protocol radius

aaa-server RADIUS_AUTH host 10.0.0.100

 key CISCO

access-list OUTSIDE_IN extended permit icmp any any log

access-list Telnet_Traffic_Match extended permit tcp any host 192.10.8.50

access-list Inside_Out extended deny icmp any any log

access-list Inside_Out extended permit ip any any log

access-group OUTSIDE_IN in interface outside

access-group Inside_Out in interface inside per-user-override

aaa authentication match Telnet_Traffic_Match inside RADIUS_AUTH

virtual telnet 192.10.8.50

on ACS Server

Downloadable IP ACL Content : R1_ACL

Permit icmp any any

Permit tcp any host 192.10.8.9 eq 23

Network Configuration /AAA Client : using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)

After authentication

ASA1(config)# sh uauth

                        Current    Most Seen

Authenticated Users       1          1

Authen In Progress        0          1

user 'user1' at 10.0.0.100, authenticated

   access-list #ACSACL#-IP-ASA1-46ee6a32 (*)

   absolute   timeout: 0:05:00

   inactivity timeout: 0:00:00

ASA1(config)# sh access-list

access-list cached ACL log flows: total 7, denied 1 (deny-flow-max 4096)

            alert-interval 300

access-list OUTSIDE_IN; 1 elements

access-list OUTSIDE_IN line 1 extended permit icmp any any log informational interval 300 (hitcnt=5) 0x835eb415

access-list Telnet_Traffic_Match; 2 elements

access-list Telnet_Traffic_Match line 1 extended permit tcp any host 192.10.8.50 (hitcnt=8) 0x582c3c44

access-list Telnet_Traffic_Match line 2 extended permit icmp any any (hitcnt=0) 0x75e7cb33

access-list Inside_Out; 2 elements

access-list Inside_Out line 1 extended deny icmp any any log informational interval 300 (hitcnt=12) 0x01f7a727

access-list Inside_Out line 2 extended permit ip any any log informational interval 300 (hitcnt=8) 0x5ca24092

access-list #ACSACL#-IP-ASA1-46ee6a32; 2 elements (dynamic)

access-list #ACSACL#-IP-ASA1-46ee6a32 line 1 extended permit icmp any any (hitcnt=1) 0xf21eed23

access-list #ACSACL#-IP-ASA1-46ee6a32 line 2 extended permit tcp any host 192.10.8.9 eq telnet (hitcnt=0) 0x1d76e083

You Advice are highly appreciated.

Regards

Maxwell Noel

You need to make sure that the user is able to reach the virtual telnet IP address. Make sure you permitted telnet to this IP (192.10.8.50) in the downloadable ACL. The message "Error: acl authorization denied" means that the downloaded ACL denied your connection.

Dear Pert,

Yes you are spot-on , it was the downloadable ACL from ACS which needs the statement to be added, I did it again and again until I made sure I don’t make that mistake again. Thanks for the Support, really appreciate it.

Regards Maxwell Noel

But as per  MAX's configuration on ACS, this line was  there right ?   ( i.e,  permit tcp any host 192.10.8.50 eq 23 )

Can you make it more clearer on this issue  for me pls.

Hi V,

yes the statement is there however the IP is wrong , it should be the virtual IP on the ASA.

Regards

Maxwell Noel

CCIE #22822

Dear All

My exam is scheduled just under 20 days .  Needs your help of the  following items urgently since this is  my second attempt.

(1) One Quick Question on Transperenet ASA  wherein it is stated that One must configure accesss-list on both the direction evenif there's a session between and higher to lower security zone ? Does this only applicable  to Multicast/Non-IP sessions  or for all ?

(2) Do I need  to prepared for Frame-relay configururation for the CCIE-SEC exam by any chance ? Will that be pre-configured ? Or can i expect any questions there?

(3)  It has been stated here that there seems  to have couple of questions on Windows base " ROUTE ADD " options ?  how are they relevent and what types of tricks are involved there ?

(4)  For DMVPN and IPSEC-GRE tunnel if they are  traversing through ASA/PIX, Do I need to per GRE traffic alongwith ESP and IKE . ( Assume that the Tunnel endpoints and IPSEC are  on the same Router )

Also, please  let me have your best thoughts  on how do I approach the exam.

Regards V