Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1417
Views
0
Helpful
3
Replies

ASA 5525 WebVPN "stop rule"

ropauljr87
Level 1
Level 1

‎02-20-2019 02:36 PM - edited ‎02-21-2020 08:50 AM

How does Cisco ASA conduct the order of processing? A competitor box runs all the rules in a logical order (“IF/Then” “stop/next”).  Does the Cisco ASA WebVPN DAP process policies and have no stop rule ability? I’m curious if the ASA processes policies? Does it hit the first DAP and move onto the next DAP, or is there a way to issue a "stop", and then process the next DAP(s)?

0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-20-2019 02:52 PM

ASA processes all DAP policies for every single connection. The end result is a combination of all the DAP policies selected. So if the Action is to assign a filter for 2 DAP policy that the user hits, the ASA combines the filter lines into 1 and assigns it to the user. IF the Action is deny connection in any one of the DAP policies hit, then the user is denied connection. The ASA does not stop processing DAP if it matches a condition. If it does not match any of the DAP policies, it takes the action in the Default DAP policy. 

0 Helpful

ropauljr87
Level 1
Level 1
In response to Rahul Govindan

‎02-22-2019 06:03 AM

Rahul,
Thank you for your answer. So, with the below scenario, it seems since the ASA process all DAP policies, then Rule 3 would break Rule 2...correct?

Rule 1:
user = ('BP*' or 'NON*' OR 'bp*' OR 'non*')   gets one training bookmark regardless of background flag. Basically, you just need a valid RSA token.

 

Rule 2:

userAttr.backgroundcheck = 'no'  AND  userAttr.ou = 'buspartner'    stop rule

userAttr.backgroundcheck = 'no'  AND  userAttr.ou = 'contractor'     stop rule

userAttr.backgroundcheck = 'no'  AND  userAttr.ou = 'JV'                 stop rule

 

Rule 3:

username is  "*"    Everyone gets directory service pages

 

Without a stop rule ability, would the Rule 3 break Rule 2 and give everyone the directory service pages? Or, would you be able to keep the integrity of Rule 2 and not allow these users access by giving the DAP policy higher priority?

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to ropauljr87

‎02-22-2019 02:54 PM

If I recall correctly, then the user would get both bookmarks from Rule 2 AND Rule 3. If Rule 3 is the default rule (Default DAP policy), then it won't be hit unless none of the above rules match. 

 

This guide should explain the DAP aggregation bit in detail:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#t5

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card