Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

DAP rule for IPSec clients

I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.


Re: DAP rule for IPSec clients

You can add a policy for your IPSec users which will match on the "application" endpoint attribute type. You will then set the "client type" to "IPSec" and the default action to continue.

New Member

Re: DAP rule for IPSec clients

Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.



Cisco Employee

Re: DAP rule for IPSec clients


You can't do hostscan with IPSEC, which is required for checking whether av/as/fw is installed. You have to use anyconnect.


New Member

Re: DAP rule for IPSec clients

Hmm, no posturing for av/as/fw at all with IPSec, or just through the DAP? W/ pre-login policies you can check for file/registry/os, etc.

CreatePlease to create content