cc/td/doc/product/vpn/vpn3000/4_0
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Dynamic Filters
Monitoring | Dynamic Filters
Configuring Dynamic Filters on a RADIUS Server

Dynamic Filters


Monitoring | Dynamic Filters

The VPN Concentrator allows you to define remote access user filters on an external RADIUS server, such as Cisco Secure ACS, rather than on the VPN Concentrator. Using an external RADIUS server allows centralized filter management and greater scaleability. Also, configuring filters in this way allows you to assign filters to a particular tunnel group or a particular user.

These filters are called dynamic filters because they remain in place only for the duration of the session to which they apply. When a user authenticates via RADIUS, the VPN Concentrator downloads the filter associated with the user and applies it for the duration of the connection. When the connection finishes, the filter drops.

You configure this feature on the RADIUS server, not on the VPN Concentrator. (The filters you configure on the VPN Concentrator are static.) For guidelines on configuring your external RADIUS server to inter operate with the VPN Concentrator, see Configuring Dynamic Filters on a RADIUS Server.

You can configure a dynamic filter on either a user or a group. If both user dynamic filters and group dynamic filters apply to a single connection, the user filters take precedence. If both dynamic filters and static filters apply to the same connection, the dynamic filters take precedence. The order of precedence is:

1. A dynamic user filter

2. A dynamic group filter

3. A static user filter

4. A static group filter


Tip If you encounter problems using this feature, debug by tracking the FILTERDBG event class. Track events with severity level 6 if you are concerned about filter syntax errors; the error log shows how the VPN Concentrator parses the filter. To view the actual filtering, track events with severity level nine; in this case, be sure to define the filter using the keyword "log."

This screen displays the dynamic filters currently in use governing remote access sessions on the VPN Concentrator.


Figure 13-1   Monitoring | Dynamic Filters Screen


Dynamic Filters

This list shows the unique dynamic filters currently in use on the VPN Concentrator. Select a filter to view its associated rules in the text box below.

The syntax of each rule is as follows:

[Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Established] [Log] [Operator] [Port]:

Field Description

Prefix

An unique identifier for the AV pair. For example: ip:inacl#1=. This field only appears when the filter has been sent as an AV pair.

Action

Action to perform if rule matches: deny, permit.

Protocol

Number or name of an IP protocol. Either an integer in the range 0-255 or one of the following keywords: icmp, igmp, ip, tcp, udp.

Source

Network or host from which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.

Source Wildcard Mask

The wildcard mask to be applied to the source address.

Destination

Network or host to which the packet is sent, specified as an IP address, a hostname, or the keyword "any". If specified as an IP address, the source wildcard mask must follow.

Destination Wildcard Mask

The wildcard mask to be applied to the destination address.

Log

Generates a FILTER log message. You must use this keyword to generate events of severity level 9.

Operator

Logic operators: greater than, less than, equal to, not equal to.

Port

The number of a TCP or UDP port: in the range 0-65535.

Configuring Dynamic Filters on a RADIUS Server

You can configure dynamic filters on any RADIUS server by using the Cisco vendor-specific RADIUS attribute (26/9/1) AV-Pair to define and transmit attribute/value pairs. In configuring the feature, refer to Table 13-1 for a list of tokens the VPN Concentrator supports.

For more information, see the documentation for your particular server.

Table 13-1   VPN Concentrator-Supported Tokens.

Token Syntax Field Description

ip:inacl#Num=

 

N/A (Identifier)

(Where Num is a unique integer.) Starts all AV pair access control lists.

deny

Action

Denies action. (Default.)

permit

Action

Allows action.

icmp

Protocol

Internet Control Message Protocol (ICMP)

1

Protocol

Internet Control Message Protocol (ICMP)

IP

Protocol

Internet Protocol (IP)

0

Protocol

Internet Protocol (IP)

TCP

Protocol

Transmission Control Protocol (TCP)

6

Protocol

Transmission Control Protocol (TCP)

UDP

Protocol

User Datagram Protocol (UDP)

17

Protocol

User Datagram Protocol (UDP)

any

Hostname

Rule applies to any host.

host

Hostname

Any alpha-numeric string that denotes a hostname.

log

Log

When the event is hit, a filter log message appears. (Same as permit and log or deny and log.)

lt

Operator

Less than value

gt

Operator

Greater than value

eq

Operator

Equal to value

neq

Operator

Not equal to value

range

Operator

Inclusive range. Should be followed by two values.

Cisco Secure ACS

To configure dynamic filters in Cisco Secure ACS, use either of the following screens:

Cisco IOS/PIX RADIUS Attributes Screen

On the Cisco IOS/PIX RADIUS Attributes screen, enter the filter in the cisco-av-pair text box. Include the Access List Number. (See Figure 13-2.) For example:

ip:inacl#1=permit ip 90.153.0.0 0.0.255.255 host 100.158.9.1
ip:inacl#2=permit ip 90.154.0.0 0.0.255.255 100.158.10.0 0.0.0.255
ip:inacl#3=permit 0 any host 100.159.1.22
ip:inacl#4=deny ip 90.155.10.0 0.0.0.255 100.159.2.0 0.0.0.255 log
ip:inacl#4=permit TCP any host 100.160.0.1 eq 80 log
ip:inacl#5=permit TCP any host 100.160.0.2 eq 23 log
ip:inacl#6=permit TCP any host 100.160.0.3 range 20 30
ip:inacl#7=permit 6 any host HOSTNAME1
ip:inacl#8=permit UDP any host HOSTNAME2 neq 53
ip:inacl#9=deny 17 any host HOSTNAME3 lt 137 log
ip:inacl#10=deny 17 any host HOSTNAME4 gt 138
ip:inacl#11=deny ICMP any 100.161.0.0 0.0.255.255 log
ip:inacl#12=permit TCP any host HOSTNAME5 neq 80

Figure 13-2   Cisco IOS/PIX RADIUS Attributes screen


Downloadable PIX ACLs Screen

On the Downloadable PIX ACLs screen, enter the filter in the ACL Definitions box. Omit the Access List Number. (See Figure 13-3.) For example:

permit ip 90.153.0.0 0.0.255.255 host 100.158.9.1
permit ip 90.154.0.0 0.0.255.255 100.158.10.0 0.0.0.255
permit 0 any host 100.159.1.22
deny ip 90.155.10.0 0.0.0.255 100.159.2.0 0.0.0.255 log
permit TCP any host 100.160.0.1 eq 80 log
permit TCP any host 100.160.0.2 eq 23 log
permit TCP any host 100.160.0.3 range 20 30
permit 6 any host HOSTNAME1
permit UDP any host HOSTNAME2 neq 53
deny 17 any host HOSTNAME3 lt 137 log
deny 17 any host HOSTNAME4 gt 138
deny ICMP any 100.161.0.0 0.0.255.255 log
permit TCP any host HOSTNAME5 neq 80

Figure 13-3   Downloadable PIX ACLs Screen



hometocprevnextglossaryfeedbacksearchhelp
Posted: Fri Apr 18 17:06:49 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.