1-80
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Supporting a Zone Labs Integrity Server
• If you do not define any rules, the ASA permits all connection types.
• When a client matches none of the rules, the ASA denies the connection. If you define a deny rule,
you must also define at least one permit rule; otherwise, the ASA denies all connections.
• For both software and hardware clients, type and version must exactly match their appearance in the
show vpn-sessiondb remote display.
• The * character is a wildcard, which you can enter multiple times in each rule. For example,
client-access rule 3 deny type * version 3.* creates a priority 3 client access rule that denies all
client types running versions 3.x software.
• You can construct a maximum of 25 rules per group policy.
• There is a limit of 255 characters for an entire set of rules.
• You can enter n/a for clients that do not send client type and/or version.
To delete a rule, enter the no form of this command. This command is equivalent to the following
command:
hostname(config-group-policy)# client-access-rule 1 deny type "Cisco VPN Client" version
4.0
To delete all rules, enter the no client-access-rule command without arguments. This deletes all
configured rules, including a null rule if you created one by issuing the client-access-rule command
with the none keyword.
By default, there are no access rules. When there are no client access rules, users inherit any rules that
exist in the default group policy.
To prevent users from inheriting client access rules, enter the client-access-rule command with the none
keyword. The result of this command is that all client types and versions can connect.
hostname(config-group-policy)# client-access rule priority {permit | deny} type type
version {version | none}
hostname(config-group-policy)# no client-access rule [priority
{permit | deny} type type
version version]
Table 70-5 explains the meaning of the keywords and parameters in these commands.
Table 1-5 client-access rule Command Keywords and Variables
Parameter Description
deny Denies connections for devices of a particular type and/or version.
none Allows no client access rules. Sets client-access-rule to a null value, thereby
allowing no restriction. Prevents inheriting a value from a default or
specified group policy.
permit Permits connections for devices of a particular type and/or version.
priority Determines the priority of the rule. The rule with the lowest integer has the
highest priority. Therefore, the rule with the lowest integer that matches a
client type and/or version is the rule that applies. If a lower priority rule
contradicts, the ASA ignores it.
To Next Page
Loading...
Need help?
General
