Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Add/Edit Internal Group Policy

69-37

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

ACL Manager

–

Permit—Permits all matching traffic.

–

Deny—Denies all matching traffic.

•Host/Network IP Address—Identifies the networks by IP address.

–

IP address—The IP address of the host or network.

–

Mask—The subnet mask of the host or network

•Description—(Optional) Enter a description of the access rule.

Modes

The following table shows the modes in which this feature is available:

Add/Edit Internal Group Policy > Client Firewall

The Add or Edit Group Policy Client Firewall dialog box lets you configure firewall settings for VPN

clients for the group policy being added or modified.

Note Only VPN clients running Microsoft Windows can use these firewall features. They are currently not

available to hardware clients or other (non-Windows) software clients.

A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound

individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if

remote users in a group have split tunneling configured. In this case, the firewall protects the user’s PC,

and thereby the corporate network, from intrusions by way of the Internet or the user’s local LAN.

Remote users connecting to the ASA with the VPN client can choose the appropriate firewall option.

In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces

firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If

the firewall stops running, the VPN client drops the connection to the ASA. (This firewall enforcement

mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it

periodic “are you there?” messages; if no reply comes, the VPN client knows the firewall is down and

terminates its connection to the ASA.) The network administrator might configure these PC firewalls

originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls

on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using

split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the

Internet while tunnels are established. This firewall scenario is called push policy or Central Protection

Policy (CPP). On the ASA, you create a set of traffic management rules to enforce on the VPN client,

associate those rules with a filter, and designate that filter as the firewall policy. The ASA pushes this

policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which

enforces it.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Add/Edit Internal Group Policy > Client Firewall