Cisco ASA Series Cli Configuration Manual page 1708

Group Policies
Configuring VPN Client Firewall Policies
A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound
packet of data to determine whether to allow it through the firewall or to drop it. Firewalls provide extra
security if remote users in a group have split tunneling configured. In this case, the firewall protects the
user's computer, and thereby the corporate network, from intrusions by way of the Internet or the user's
local LAN. Remote users connecting to the ASA with the VPN client can choose the appropriate firewall
option.
Set personal firewall policies that the ASA pushes to the VPN client during IKE tunnel negotiation by
using the client-firewall command in group-policy configuration mode. To delete a firewall policy, enter
the no form of this command.
To delete all firewall policies, enter the no client-firewall command without arguments. This command
deletes all configured firewall policies, including a null policy if you created one by entering the
client-firewall command with the none keyword.
When there are no firewall policies, users inherit any that exist in the default or other group policy. To
prevent users from inheriting such firewall policies, enter the client-firewall command with the none
keyword.
The Add or Edit Group Policy dialog box on the Client Firewall tab, lets you configure firewall settings
for VPN clients for the group policy being added or modified.
Note
Only VPN clients running Microsoft Windows can use these firewall features. They are currently not
available to hardware clients or other (non-Windows) software clients.
In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces
firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If
the firewall stops running, the VPN client drops the connection to the ASA. (This firewall enforcement
mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it
periodic "are you there?" messages; if no reply comes, the VPN client knows the firewall is down and
terminates its connection to the ASA.) The network administrator might configure these PC firewalls
originally, but with this approach, each user can customize his or her own configuration.
In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls
on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using
split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the
Internet while tunnels are established. This firewall scenario is called push policy or Central Protection
Policy (CPP). On the ASA, you create a set of traffic management rules to enforce on the VPN client,
associate those rules with a filter, and designate that filter as the firewall policy. The ASA pushes this
policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which
enforces it.
Configuring AnyConnect Client Firewall Policies
Fiewall rules for the AnyConnect client can specify IPv4 and IPv6 addresses.
Cisco ASA Series CLI Configuration Guide
1-74
Chapter 1 Configuring Connection Profiles, Group Policies, and Users