Cisco ASA 5505 User Manual

67-69

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Supporting a Zone Labs Integrity Server

To delete all rules, enter the no client-access-rule command without arguments. This deletes all
configured rules, including a null rule if you created one by issuing the client-access-rule command with
the none keyword.

By default, there are no access rules. When there are no client access rules, users inherit any rules that
exist in the default group policy.

To prevent users from inheriting client access rules, enter the client-access-rule command with the none
keyword. The result of this command is that all client types and versions can connect.

hostname(config-group-policy)# client-access rule priority {permit | deny}

type

type

version

{version | none}

hostname(config-group-policy)# no client-access rule [priority

{permit | deny} type type

version

version]

Table 67-5

explains the meaning of the keywords and parameters in these commands.

The following example shows how to create client access rules for the group policy named FirstGroup.
These rules permit Cisco VPN clients running software version 4.x, while denying all Windows NT
clients:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# client-access-rule 1 deny type WinNT version *

hostname(config-group-policy)# client-access-rule 2 permit “Cisco VPN Client” version 4.*

Note

The “type” field is a free-form string that allows any value, but that value must match the fixed
value that the client sends to the ASA at connect time.

Table 67-5

client-access rule Command Keywords and Variables

Parameter

Description

deny

Denies connections for devices of a particular type and/or version.

none

Allows no client access rules. Sets client-access-rule to a null value, thereby
allowing no restriction. Prevents inheriting a value from a default or
specified group policy.

permit

Permits connections for devices of a particular type and/or version.

priority

Determines the priority of the rule. The rule with the lowest integer has the
highest priority. Therefore, the rule with the lowest integer that matches a
client type and/or version is the rule that applies. If a lower priority rule
contradicts, the ASA ignores it.

type type

Identifies device types via free-form strings, for example VPN 3002. A
string must match exactly its appearance in the show vpn-sessiondb
remote display, except that you can enter the * character as a wildcard.

version version

Identifies the device version via free-form strings, for example 7.0. A string
must match exactly its appearance in the show vpn-sessiondb remote
display, except that you can enter the * character as a wildcard.