Cisco ASA 5505 Configuration Manual page 1345

Chapter 64 General VPN Setup
If you choose Firewall Required, all users in this group must use the designated firewall. The
adaptive security appliance drops any session that attempts to connect without the designated,
supported firewall installed and running. In this case, the adaptive security appliance notifies the
VPN client that its firewall configuration does not match.
Note
If you have remote users in this group who do not yet have firewall capacity, choose Firewall
Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have
a firewall can use it; users that connect without a firewall receive a warning message. This setting is
useful if you are creating a group in which some users have firewall support and others do not—for
example, you may have a group that is in gradual transition, in which some members have set up
firewall capacity and others have not yet done so.
Firewall Type—Lists firewalls from several vendors, including Cisco. If you select Custom Firewall,
•
the fields under Custom Firewall become active. The firewall you designate must correlate with the
firewall policies available. The specific firewall you configure determines which firewall policy
options are supported.
• Custom Firewall—Specifies the vendor ID, Product ID and description for the custom firewall.
–
–
–
Firewall Policy—Specifies the type and source for the custom firewall policy.
•
–
–
–
–
OL-20339-01
If you require a firewall for a group, make sure the group does not include any clients other than
Windows VPN clients. Any other clients in the group (including ASA 5505 in client mode and
VPN 3002 hardware clients) are unable to connect.
Vendor ID—Specifies the vendor of the custom firewall for this group policy.
Product ID—Specifies the product or model name of the custom firewall being configured for
this group policy.
Description—(Optional) Describes the custom firewall.
Policy defined by remote firewall (AYT)—Specifies that the firewall policy is defined by the
remote firewall (Are You There). Policy defined by remote firewall (AYT) means that remote
users in this group have firewalls located on their PCs. The local firewall enforces the firewall
policy on the VPN client. The adaptive security appliance allows VPN clients in this group to
connect only if they have the designated firewall installed and running. If the designated firewall
is not running, the connection fails. Once the connection is established, the VPN client polls the
firewall every 30 seconds to make sure that it is still running. If the firewall stops running, the
VPN client ends the session.
Policy pushed (CPP)—Specifies that the policy is pushed from the peer. If you choose this
option, the Inbound Traffic Policy and Outbound Traffic Policy lists and the Manage button
become active. The adaptive security appliance enforces on the VPN clients in this group the
traffic management rules defined by the filter you choose from the Policy Pushed (CPP)
drop-down menu. The choices available on the menu are filters defined on this adaptive security
appliance, including the default filters. Keep in mind that the adaptive security appliance pushes
these rules down to the VPN client, so you should create and define these rules relative to the
VPN client, not the adaptive security appliance. For example, "in" and "out" refer to traffic
coming into the VPN client or going outbound from the VPN client. If the VPN client also has
a local firewall, the policy pushed from the adaptive security appliance works with the policy of
the local firewall. Any packet that is blocked by the rules of either firewall is dropped.
Inbound Traffic Policy—Lists the available push policies for inbound traffic.
Outbound Traffic Policy—Lists the available push policies for outbound traffic.
Cisco ASA 5500 Series Configuration Guide using ASDM
ACL Manager
64-35