Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4414
Views
0
Helpful
3
Replies

Block the use off old VPN client.

Go to solution
helpdesk
Level 1
Level 1

‎01-06-2010 08:18 AM

Hello,

I would like to block connections that are still using old versions of the VPN client software.

I use an ASA5510.

I can ask clients to use the new version as provided on the ASA but they can still refuse this.

To force the use of the latest client I will have the abillity to block the older versions.

Anybody?

Thanks.

Bart

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
yamramos.tueme
Level 1
Level 1

‎01-07-2010 01:49 PM

Hi Bart!

You can restrict the VPN Client versions connecting to the asa using the "client-access-rule" in your group-policy attributes.  With this command you can restrict by type or version of the client.

You'll find the details on how to use it in the following link, so you can restrict the old versions you want to avoid:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499

Hope that works for you!

Cheers!

- Yamil

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Todd Pula
Level 7
Level 7

‎01-06-2010 02:34 PM

Depending on the version of code you are running, you could build a Dynamic Access Policy (DAP).  To block IPSec client access while permitting AnyConnect/Clientless WebVPN, you can configure a policy to match on the endpoint attribute "Application" and "clienttype = IPSec".  This policy will be set to terminate so you will need a secondary policy (either specific or default) to continue connections via AnyConnect, clientless WebVPN, etc.  In ASDM, you build DAP policies via Configuration->Network (Client) Access->Dynamic Access Policies.  In my lab testing, I built a new terminate (deny) policy called BLOCK-IPSEC and matched on the above endpoint attribute.  I then set the DfltAccessPolicy to continue (permit).

0 Helpful

Go to solution
yamramos.tueme
Level 1
Level 1

‎01-07-2010 01:49 PM

Hi Bart!

You can restrict the VPN Client versions connecting to the asa using the "client-access-rule" in your group-policy attributes.  With this command you can restrict by type or version of the client.

You'll find the details on how to use it in the following link, so you can restrict the old versions you want to avoid:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499

Hope that works for you!

Cheers!

- Yamil

0 Helpful

Go to solution
helpdesk
Level 1
Level 1
In response to yamramos.tueme

‎01-11-2010 01:44 AM

Hi Yamil,

Tnx, this should work.

Regards,

Bart

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents