Thanks Mohammed. It seems, the permit argument is mandatory, if the unlisted arguments is "deny".
If the permit argument is not entered, then the the unlisted arguments is "permit" With regards Kings 2009/10/8 Mohammed Gazzaz <[email protected]> > Hi Kings, > > It is working here without any problems. > > aaa authentication match aaa Inside tac > aaa authorization match aaa Inside tac > aaa accounting match aaa Inside tac > > access-list aaa line 1 extended permit tcp any any (hitcnt=119) 0xfb2783bb > access-list aaa line 2 extended permit icmp any any (hitcnt=246) 0xe893359d > > > In the ACS server, > > Unmatched Cisco IOS commands is "deny" > > command "telnet" arguments "permit 150.1.4.4" > command "1/8" arguments "permit 150.1.5.5" > command "http" arguments "permit 150.1.2.2" > > Unlisted arguments is "deny" for all commands > > ----------------------- > > *SW2#telnet 150.1.4.4* > Trying 150.1.4.4 ... Open > > Username: cisco > > Password: > > > > Error: Authorization Denied > > [Connection to 150.1.4.4 closed by foreign host] > > *SW2#telnet 150.1.4.4* > Trying 150.1.4.4 ... > % Connection timed out; remote host not responding > > *SW2#telnet 150.1.5.5* > Trying 150.1.5.5 ... Open > > > User Access Verification > > Password: > > *SW2#telnet 150.1.2.2 80* > Trying 150.1.2.2, 80 ... Open > > HTTP/1.1 400 Bad Request > Date: Thu, 08 Oct 2009 07:47:58 GMT > Server: cisco-IOS > Accept-Ranges: none > > 400 Bad Request > > [Connection to 150.1.2.2 closed by foreign host] > > *SW2#telnet 150.1.5.5 80* > Trying 150.1.5.5, 80 ... > % Connection timed out; remote host not responding > > *SW2#ping 150.1.4.4 * > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: > .!!!! > Success rate is 80 percent (4/5), round-trip min/avg/max = 56/59/64 ms > > *SW2#ping 150.1.2.2* > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > > > *ASA1(config)# show uauth * > Current Most Seen > Authenticated Users 1 1 > Authen In Progress 0 1 > user 'cisco' at 12.1.235.8, authorized to: > port 150.1.5.5/telnet 150.1.2.2/http 150.1.4.4/icmp/8 > absolute timeout: 0:05:00 > inactivity timeout: 0:00:00 > ASA1(config)# > > Regards, > Mohammed Gazzaz > > ------------------------------ > Date: Thu, 8 Oct 2009 18:02:58 +0530 > From: [email protected] > To: [email protected] > Subject: [OSL | CCIE_Security] ASA cut-through proxy authorization for icmp > > Hi all > > I am trying to configure cut-through proxy for any traffic (authentication > and authorization). > > access-list mine permit ip any any > > aaa authentication match mine inside mine > aaa authorization match mine inside mine > > > Under "shell authorization > Per user command authorization" of User setup > in ACS, I have permitted the command "1/8". > > 1 is ICMP protocol number and 8 is type. > > Unmatched Cisco IOS commands is "deny" > Unlisted arguments is "permit" > > This should allow ping from inside to outside. > > The ping fails and the reason in the reports and activites mentions that > command "1/8" is denied. > > > > First, I used a telnet session to ensure that there is "uauth" for device > from where I am going to ping because ping can't be authenticated. > > > Has any tried this? > > > > > > With regards > Kings > > ------------------------------ > Keep your friends updated— even when you’re not signed > in.<http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
