Cisco ASA 5505 Configuration Manual page 1436

Understanding VPN Access Policies
Access Policy Attributes—These tabs let you set attributes for network and webtype ACL filters,
•
file access, HTTP proxy, URL entry and lists, port forwarding, and clientless SSL VPN access
methods. Attribute values that you configure here override authorization values in the AAA system,
including those in existing user, group, tunnel group, and default group records.
Action Tab—Specifies special processing to apply to a specific connection or session.
•
Note
Network ACL Filters Tab—Lets you select and configure network ACLs to apply to this DAP
•
record. An ACL for DAP can contain permit or deny rules, but not both. If an ACL contains both
permit and deny rules, the adaptive security appliance rejects it.
Web-Type ACL Filters Tab—Lets you select and configure web-type ACLs to apply to this DAP
•
record. An ACL for DAP can contain only permit or deny rules. If an ACL contains both permit and
deny rules, the adaptive security appliance rejects it.
Cisco ASA 5500 Series Configuration Guide using ASDM
65-12
Continue—(Default) Click to apply access policy attributes to the session.
–
Quarantine—Through the use of quarantine, you can restrict a particular client who already has
–
an established tunnel through a VPN. ASA applies restricted ACLs to a session to form a
restricted group, based on the selected DAP record. When an endpoint is not compliant with an
administratively defined policy, the user can still access services for remediation (such as
updating the antivirus and so on), but restrictions are placed upon the user. After the remediation
occurs, the user can reconnect, which invokes a new posture assessment. If this assessment
passes, the user connects.
Note This parameter requires a release of the Cisco IronPort Web Security appliance that
provides AnyConnect Secure Mobility licensing support for the Cisco AnyConnect
secure mobility client. It also requires an AnyConnect release that supports AnyConnect
Secure Mobility features.
Terminate—Click to terminate the session.
–
User Message—Enter a text message to display on the portal page when this DAP record is
–
selected. Maximum 128 characters. A user message displays as a yellow orb. When a user logs
on it blinks three times to attract attention, and then it is still. If several DAP records are
selected, and each of them has a user message, all of the user messages display.
You can include in such messages URLs or other embedded text, which require that you use the
correct HTML tags.
For example: All contractors please read <a href='http://wwwin.abc.com/procedure.html'>
Instructions</a> for the procedure to upgrade your antivirus software.
– Network ACL drop-down list—Select already configured network ACLs to add to this DAP
record. Only ACLs having all permit or all deny rules are eligible, and these are the only ACLs
that display here.
Manage...—Click to add, edit, and delete network ACLs.
–
Network ACL list—Displays the network ACLs for this DAP record.
–
Add—Click to add the selected network ACL from the drop-down list to the Network ACLs list
–
on the right.
Delete—Click to delete a highlighted network ACL from the Network ACLs list. You cannot
–
delete an ACL from the adaptive security appliance unless you first delete it from DAP records.
Chapter 65 Configuring Dynamic Access Policies
OL-20339-01