Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Block the use off old VPN client.

Hello,

I would like to block connections that are still using old versions of the VPN client software.

I use an ASA5510.

I can ask clients to use the new version as provided on the ASA but they can still refuse this.

To force the use of the latest client I will have the abillity to block the older versions.

Anybody?

Thanks.

Bart

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: Block the use off old VPN client.

Hi Bart!

You can restrict the VPN Client versions connecting to the asa using the "client-access-rule" in your group-policy attributes.  With this command you can restrict by type or version of the client.

You'll find the details on how to use it in the following link, so you can restrict the old versions you want to avoid:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499

Hope that works for you!

Cheers!

- Yamil

3 REPLIES

Re: Block the use off old VPN client.

Depending on the version of code you are running, you could build a Dynamic Access Policy (DAP).  To block IPSec client access while permitting AnyConnect/Clientless WebVPN, you can configure a policy to match on the endpoint attribute "Application" and "clienttype = IPSec".  This policy will be set to terminate so you will need a secondary policy (either specific or default) to continue connections via AnyConnect, clientless WebVPN, etc.  In ASDM, you build DAP policies via Configuration->Network (Client) Access->Dynamic Access Policies.  In my lab testing, I built a new terminate (deny) policy called BLOCK-IPSEC and matched on the above endpoint attribute.  I then set the DfltAccessPolicy to continue (permit).

Community Member

Re: Block the use off old VPN client.

Hi Bart!

You can restrict the VPN Client versions connecting to the asa using the "client-access-rule" in your group-policy attributes.  With this command you can restrict by type or version of the client.

You'll find the details on how to use it in the following link, so you can restrict the old versions you want to avoid:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c4.html#wp2118499

Hope that works for you!

Cheers!

- Yamil

Community Member

Re: Block the use off old VPN client.

Hi Yamil,

Tnx, this should work.

Regards,

Bart

625
Views
0
Helpful
3
Replies
CreatePlease to create content