67-69
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Supporting a Zone Labs Integrity Server
To delete all rules, enter the no client-access-rule command without arguments. This deletes all
configured rules, including a null rule if you created one by issuing the client-access-rule command with
the none keyword.
By default, there are no access rules. When there are no client access rules, users inherit any rules that
exist in the default group policy.
To prevent users from inheriting client access rules, enter the client-access-rule command with the none
keyword. The result of this command is that all client types and versions can connect.
hostname(config-group-policy)# client-access rule priority {permit | deny} type type
version {version | none}
hostname(config-group-policy)# no client-access rule [priority {permit | deny} type type
version version]
Table67-5 explains the meaning of the keywords and parameters in these commands.
The following example shows how to create client access rules for the group policy named FirstGroup.
These rules permit Cisco VPN clients running software version 4.x, while denying all Windows NT
clients:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# client-access-rule 1 deny type WinNT version *
hostname(config-group-policy)# client-access-rule 2 permit “Cisco VPN Client” version 4.*
Note The “type” field is a free-form string that allows any value, but that value must match the fixed
value that the client sends to the ASA at connect time.
Table67-5 client-access rule Command Keywords and Variables
Parameter Description
deny Denies connections for devices of a particular type and/or version.
none Allows no client access rules. Sets client-access-rule to a null value, thereby
allowing no restriction. Prevents inheriting a value from a default or
specified group policy.
permit Permits connections for devices of a particular type and/or version.
priority Determines the priority of the rule. The rule with the lowest integer has the
highest priority. Therefore, the rule with the lowest integer that matches a
client type and/or version is the rule that applies. If a lower priority rule
contradicts, the ASA ignores it.
type type Identifies device types via free-form strings, for example VPN 3002. A
string must match exactly its appearance in the show vpn-sessiondb
remote display, except that you can enter the * character as a wildcard.
version version Identifies the device version via free-form strings, for example 7.0. A string
must match exactly its appearance in the show vpn-sessiondb remote
display, except that you can enter the * character as a wildcard.