Cisco Systems ASA5515K9, ASA 5500

67-69

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter67 Configuring Connection Profiles, Group Policies, and Users

Supporting a Zone Labs Integrity Server

To delete all rules, enter the no client-access-rule command without arguments. This deletes all

configured rules, including a null rule if you created one by issuing the client-access-rule command with

the none keyword.

By default, there are no access rules. When there are no client access rules, users inherit any rules that

exist in the default group policy.

To prevent users from inheriting client access rules, enter the client-access-rule command with the none

keyword. The result of this command is that all client types and versions can connect.

hostname(config-group-policy)# client-access rule priority {permit | deny} type type

version {version | none}

hostname(config-group-policy)# no client-access rule [priority {permit | deny} type type

version version]

Table67-5 explains the meaning of the keywords and parameters in these commands.

The following example shows how to create client access rules for the group policy named FirstGroup.

These rules permit Cisco VPN clients running software version 4.x, while denying all Windows NT

clients:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# client-access-rule 1 deny type WinNT version *

hostname(config-group-policy)# client-access-rule 2 permit “Cisco VPN Client” version 4.*

Note The “type” field is a free-form string that allows any value, but that value must match the fixed

value that the client sends to the ASA at connect time.

Table67-5 client-access rule Command Keywords and Variables

Parameter Description

deny Denies connections for devices of a particular type and/or version.

none Allows no client access rules. Sets client-access-rule to a null value, thereby

allowing no restriction. Prevents inheriting a value from a default or

specified group policy.

permit Permits connections for devices of a particular type and/or version.

priority Determines the priority of the rule. The rule with the lowest integer has the

highest priority. Therefore, the rule with the lowest integer that matches a

client type and/or version is the rule that applies. If a lower priority rule

contradicts, the ASA ignores it.

type type Identifies device types via free-form strings, for example VPN 3002. A

string must match exactly its appearance in the show vpn-sessiondb

remote display, except that you can enter the * character as a wildcard.

version version Identifies the device version via free-form strings, for example 7.0. A string

must match exactly its appearance in the show vpn-sessiondb remote

display, except that you can enter the * character as a wildcard.