Configuring Client Access Rules - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# client-firewall req cisco-security-agent
hostname(config-group-policy)#
Configuring Client Access Rules
Configure rules that limit the remote access client types and versions that can connect via IPSec through
the security appliance by using the client-access-rule command in group-policy configuration mode.
Construct rules according to these guidelines:
•
•
•
•
•
•
•
To delete a rule, enter the no form of this command. This command is equivalent to the following
command:
hostname(config-group-policy)# client-access-rule 1 deny type "Cisco VPN Client" version
4.0
To delete all rules, enter the no client-access-rule command without arguments. This deletes all
configured rules, including a null rule if you created one by issuing the client-access-rule command with
the none keyword.
By default, there are no access rules. When there are no client access rules, users inherit any rules that
exist in the default group policy.
To prevent users from inheriting client access rules, enter the client-access-rule command with the none
keyword. The result of this command is that all client types and versions can connect.
hostname(config-group-policy)# client-access rule priority {permit | deny} type type
version {version | none}
hostname(config-group-policy)# no client-access rule [priority {permit | deny} type type
version version]
Table 30-2
Table 30-2
Parameter
deny
none
OL-10088-01
If you do not define any rules, the security appliance permits all connection types.
When a client matches none of the rules, the security appliance denies the connection. If you define
a deny rule, you must also define at least one permit rule; otherwise, the security appliance denies
all connections.
For both software and hardware clients, type and version must exactly match their appearance in the
show vpn-sessiondb remote display.
The * character is a wildcard, which you can enter multiple times in each rule. For example,
client-access rule 3 deny type * version 3.* creates a priority 3 client access rule that denies all
client types running release versions 3.x software.
You can construct a maximum of 25 rules per group policy.
There is a limit of 255 characters for an entire set of rules.
You can enter n/a for clients that do not send client type and/or version.
explains the meaning of the keywords and parameters in these commands.
client-access rule Command Keywords and Variables
Description
Denies connections for devices of a particular type and/or version.
Allows no client access rules. Sets client-access-rule to a null value, thereby
allowing no restriction. Prevents inheriting a value from a default or
specified group policy.
Cisco Security Appliance Command Line Configuration Guide
Group Policies
30-57
Advertisement
Table of Contents
Troubleshooting
