DAP rule for IPSec clients

Unanswered Question
Oct 30th, 2009
User Badges:

I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Todd Pula Mon, 11/02/2009 - 08:09
User Badges:
  • Silver, 250 points or more

You can add a policy for your IPSec users which will match on the "application" endpoint attribute type. You will then set the "client type" to "IPSec" and the default action to continue.

brian.kennedy Mon, 11/02/2009 - 09:18
User Badges:

Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.


Thanks


Brian

Jason Gervia Mon, 11/02/2009 - 09:23
User Badges:
  • Cisco Employee,

Brian,


You can't do hostscan with IPSEC, which is required for checking whether av/as/fw is installed. You have to use anyconnect.


--Jason

brian.kennedy Mon, 11/02/2009 - 09:32
User Badges:

Hmm, no posturing for av/as/fw at all with IPSec, or just through the DAP? W/ pre-login policies you can check for file/registry/os, etc.

Actions

This Discussion