Configuring client access rules – Cisco ASA 5505 User Manual

67-68

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Supporting a Zone Labs Integrity Server

The following example shows how to set a client firewall policy that requires Cisco Intrusion Prevention
Security Agent for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# client-firewall req cisco-security-agent

hostname(config-group-policy)#

Configuring Client Access Rules

Configure rules that limit the remote access client types and versions that can connect via IPsec through
the ASA by using the client-access-rule command in group-policy configuration mode. Construct rules
according to these guidelines:

•

If you do not define any rules, the ASA permits all connection types.

•

When a client matches none of the rules, the ASA denies the connection. If you define a deny rule,
you must also define at least one permit rule; otherwise, the ASA denies all connections.

•

For both software and hardware clients, type and version must exactly match their appearance in the
show vpn-sessiondb remote display.

•

The * character is a wildcard, which you can enter multiple times in each rule. For example,
client-access rule 3 deny type * version 3.* creates a priority 3 client access rule that denies all
client types running release versions 3.x software.

•

You can construct a maximum of 25 rules per group policy.

•

There is a limit of 255 characters for an entire set of rules.

•

You can enter n/a for clients that do not send client type and/or version.

To delete a rule, enter the no form of this command. This command is equivalent to the following
command:

hostname(config-group-policy)# client-access-rule 1 deny type "Cisco VPN Client" version

4.0

none

Indicates that there is no client firewall policy. Sets a firewall policy
with a null value, thereby disallowing a firewall policy. Prevents
inheriting a firewall policy from a default or specified group policy.

opt

Indicates an optional firewall type.

product-id

Identifies the firewall product.

req

Indicates a required firewall type.

sygate-personal

Specifies the Sygate Personal firewall type.

sygate-personal-pro

Specifies Sygate Personal Pro firewall type.

sygate-security-agent

Specifies Sygate Security Agent firewall type.

vendor-id

Identifies the firewall vendor.

zonelabs-integrity

Specifies Zone Labs Integrity Server firewall type.

zonelabs-zonealarm

Specifies Zone Labs Zone Alarm firewall type.

zonelabs-zonealarmorpro
policy

Specifies Zone Labs Zone Alarm or Pro firewall type.

zonelabs-zonealarmpro policy Specifies Zone Labs Zone Alarm Pro firewall type.

Table 67-4

client-firewall Command Keywords and Variables