Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Client Firewall with Local Printer and Tethered Device Support

69-26

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

ACL Manager

Client Firewall with Local Printer and Tethered Device Support

When users connect to the ASA, all traffic is tunneled through the connection and users cannot access

resources on their local network. This includes printers, cameras, and Windows Mobile devices (tethered

devices) that sync with the local computer. Enabling Local LAN Access in the client profile resolves this

problem, however it can introduce a security or policy concern for some enterprises as a result of

unrestricted access to the local network. You can use the ASA to deploy endpoint OS firewall capabilities

to restrict access to particular types of local resources, such as printers and tethered devices.

To do so, enable client firewall rules for specific ports for printing. The client distinguishes between

inbound and outbound rules. For printing capabilities, the client opens ports required for outbound

connections, but blocks all incoming traffic. The client firewall is independent of the always-on feature.

Note Be aware that users logged in as administrators have the ability to modify the firewall rules deployed to

the client by the ASA. Users with limited privileges cannot modify the rules. For either user, the client

reapplies the rules when the connection terminates.

If you configure the client firewall, and the user authenticates to an Active Directory (AD) server, the

client still applies the firewall policies from the ASA. However, the rules defined in the AD group policy

take precedence over the rules of the client firewall.

The following notes clarify how the AnyConnect client uses the firewall:

•The source IP is not used for firewall rules. The client ignores the source IP information in the

firewall rules sent from the ASA. The client determines the source IP depending on whether the rules

are public or private. Public rules are applied to all interfaces on the client. Private rules are applied

to the Virtual Adapter.

•The ASA supports many protocols for ACL rules. However, the AnyConnect firewall feature

supports only TCP, UDP, ICMP, and IP. If the client receives a rule with a different protocol, it treats

it as an invalid firewall rule, and then disables split tunneling and uses full tunneling for security

reasons.

Be aware of the following differences in behavior for each operating system:

•For Windows computers, deny rules take precedence over allow rules in Windows Firewall. If the

ASA pushes down an allow rule to the AnyConnect client, but the user has created a custom deny

rule, the AnyConnect rule is not enforced.

•On Windows Vista, when a firewall rule is created, Vista takes the port number range as a

comma-separated string. The port range can be a maximum of 300 ports. For example, from 1-300

or 5000-5300. If you specify a range greater than 300 ports, the firewall rule is applied only to the

first 300 ports.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Client Firewall with Local Printer and Tethered Device Support