Cisco ASA 5505 Configuration Manual page 1344

ACL Manager
Firewall Mode
Routed
•
Add/Edit Internal Group Policy > Client Firewall
The Add or Edit Group Policy Client Firewall dialog box lets you configure firewall settings for VPN
clients for the group policy being added or modified.
Only VPN clients running Microsoft Windows can use these firewall features. They are currently not
Note
available to hardware clients or other (non-Windows) software clients.
A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound
individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if
remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC,
and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN.
Remote users connecting to the adaptive security appliance with the VPN client can choose the
appropriate firewall option.
In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces
firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If
the firewall stops running, the VPN client drops the connection to the adaptive security appliance. (This
firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the
firewall by sending it periodic "are you there?" messages; if no reply comes, the VPN client knows the
firewall is down and terminates its connection to the adaptive security appliance.) The network
administrator might configure these PC firewalls originally, but with this approach, each user can
customize his or her own configuration.
In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls
on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using
split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the
Internet while tunnels are established. This firewall scenario is called push policy or Central Protection
Policy (CPP). On the adaptive security appliance, you create a set of traffic management rules to enforce
on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The
adaptive security appliance pushes this policy down to the VPN client. The VPN client then in turn
passes the policy to the local firewall, which enforces it.
Fields
•
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
64-34
Security Context
Transparent Single
— •
Inherit—Determines whether the group policy obtains its client firewall setting from the default
group policy. This option is the default setting. When set, it overrides the remaining attributes in this
dialog boxing dims their names.
Client Firewall Attributes—Specifies the client firewall attributes, including what type of firewall
(if any) is implemented and the firewall policy for that firewall.
Firewall Setting—Lists whether a firewall exists, and if so, whether it is required or optional. If you
select No Firewall (the default), none of the remaining fields on this dialog box are active. If you
want users in this group to be firewall-protected, select either the Firewall Required or Firewall
Optional setting.
Multiple
Context System
— —
Chapter 64 General VPN Setup
OL-20339-01