Block the use off old VPN client.

Answered Question

Hello,


I would like to block connections that are still using old versions of the VPN client software.

I use an ASA5510.

I can ask clients to use the new version as provided on the ASA but they can still refuse this.

To force the use of the latest client I will have the abillity to block the older versions.

Anybody?

Thanks.


Bart

Correct Answer by yamramos.tueme about 7 years 6 months ago

Hi Bart!


You can restrict the VPN Client versions connecting to the asa using the "client-access-rule" in your group-policy attributes.  With this command you can restrict by type or version of the client.

You'll find the details on how to use it in the following link, so you can restrict the old versions you want to avoid:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499


Hope that works for you!


Cheers!

- Yamil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Todd Pula Wed, 01/06/2010 - 14:34
User Badges:
  • Silver, 250 points or more

Depending on the version of code you are running, you could build a Dynamic Access Policy (DAP).  To block IPSec client access while permitting AnyConnect/Clientless WebVPN, you can configure a policy to match on the endpoint attribute "Application" and "clienttype = IPSec".  This policy will be set to terminate so you will need a secondary policy (either specific or default) to continue connections via AnyConnect, clientless WebVPN, etc.  In ASDM, you build DAP policies via Configuration->Network (Client) Access->Dynamic Access Policies.  In my lab testing, I built a new terminate (deny) policy called BLOCK-IPSEC and matched on the above endpoint attribute.  I then set the DfltAccessPolicy to continue (permit).

Correct Answer
yamramos.tueme Thu, 01/07/2010 - 13:49
User Badges:

Hi Bart!


You can restrict the VPN Client versions connecting to the asa using the "client-access-rule" in your group-policy attributes.  With this command you can restrict by type or version of the client.

You'll find the details on how to use it in the following link, so you can restrict the old versions you want to avoid:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499


Hope that works for you!


Cheers!

- Yamil

Actions

This Discussion