01-06-2010 08:18 AM
Hello,
I would like to block connections that are still using old versions of the VPN client software.
I use an ASA5510.
I can ask clients to use the new version as provided on the ASA but they can still refuse this.
To force the use of the latest client I will have the abillity to block the older versions.
Anybody?
Thanks.
Bart
Solved! Go to Solution.
01-07-2010 01:49 PM
Hi Bart!
You can restrict the VPN Client versions connecting to the asa using the "client-access-rule" in your group-policy attributes. With this command you can restrict by type or version of the client.
You'll find the details on how to use it in the following link, so you can restrict the old versions you want to avoid:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499
Hope that works for you!
Cheers!
- Yamil
01-06-2010 02:34 PM
Depending on the version of code you are running, you could build a Dynamic Access Policy (DAP). To block IPSec client access while permitting AnyConnect/Clientless WebVPN, you can configure a policy to match on the endpoint attribute "Application" and "clienttype = IPSec". This policy will be set to terminate so you will need a secondary policy (either specific or default) to continue connections via AnyConnect, clientless WebVPN, etc. In ASDM, you build DAP policies via Configuration->Network (Client) Access->Dynamic Access Policies. In my lab testing, I built a new terminate (deny) policy called BLOCK-IPSEC and matched on the above endpoint attribute. I then set the DfltAccessPolicy to continue (permit).
01-07-2010 01:49 PM
Hi Bart!
You can restrict the VPN Client versions connecting to the asa using the "client-access-rule" in your group-policy attributes. With this command you can restrict by type or version of the client.
You'll find the details on how to use it in the following link, so you can restrict the old versions you want to avoid:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499
Hope that works for you!
Cheers!
- Yamil
01-11-2010 01:44 AM
Hi Yamil,
Tnx, this should work.
Regards,
Bart
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: