33-63
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter33 Configuring Policy Objects for Remote Access VPNs
Add or Edit User Group Dialog Box
User Group Dialog Box—IOS Client Settings
Configure IOS client settings to define Cisco IOS specific options for your user group, including firewall
settings for VPN clients.
Note These settings apply in Easy VPN and remote access IPSec VPN configurations.
Navigation Path
Select Client Settings (IOS) from the table of contents in the Add or Edit User Group Dialog Box,
page 33-58.
Field Reference
Table33-47 User Group Dialog Box—Client Settings (IOS)
Element Description
Enable Firewall
Are-You-There
(Not available on 7600 series
or ASR routers.)
This feature may be used if a VPN client is running the Black Ice or
Zone Alarm personal firewall.
When selected, it ensures that the personal firewall is running at
connection time and throughout the connection. The
Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm
personal firewalls if the server prompts them to do so. If the personal
firewall stops running, the connection is terminated. If this feature is
enabled and there is no personal firewall running on the server, the
connection is never established.
Mode A Central Policy Push (CPP) firewall policy on a server allows or
denies a tunnel on the basis of whether the remote device has a required
firewall for a local AAA server.
The Mode option specifies whether the Central Policy Push (CPP)
policy is optional or mandatory, as follows:
Optional—If the CPP policy is defined as optional, and is included
in the Easy VPN server configuration, the tunnel setup is continued
even if the client does not confirm the defined policy.
Required—If the CPP policy is defined as mandatory and is
included in the Easy VPN server configuration, the tunnel setup is
allowed only if the client confirms this policy. Otherwise, the
tunnel is terminated.
Firewall Type The type of firewall that you are making required or optional. The list
shows all of the supported firewall software, which includes software
from Cisco and Zone Labs.