cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1182
Views
0
Helpful
3
Replies

ASA 5525 WebVPN "stop rule"

ropauljr87
Level 1
Level 1

How does Cisco ASA conduct the order of processing? A competitor box runs all the rules in a logical order (“IF/Then” “stop/next”).  Does the Cisco ASA WebVPN DAP process policies and have no stop rule ability? I’m curious if the ASA processes policies? Does it hit the first DAP and move onto the next DAP, or is there a way to issue a "stop", and then process the next DAP(s)?

3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

ASA processes all DAP policies for every single connection. The end result is a combination of all the DAP policies selected. So if the Action is to assign a filter for 2 DAP policy that the user hits, the ASA combines the filter lines into 1 and assigns it to the user. IF the Action is deny connection in any one of the DAP policies hit, then the user is denied connection. The ASA does not stop processing DAP if it matches a condition. If it does not match any of the DAP policies, it takes the action in the Default DAP policy. 

Rahul,
Thank you for your answer. So, with the below scenario, it seems since the ASA process all DAP policies, then Rule 3 would break Rule 2...correct?

Rule 1:
user = ('BP*' or 'NON*' OR 'bp*' OR 'non*')   gets one training bookmark regardless of background flag. Basically, you just need a valid RSA token.

 

Rule 2:

userAttr.backgroundcheck = 'no'  AND  userAttr.ou = 'buspartner'    stop rule

userAttr.backgroundcheck = 'no'  AND  userAttr.ou = 'contractor'     stop rule

userAttr.backgroundcheck = 'no'  AND  userAttr.ou = 'JV'                 stop rule

 

Rule 3:

username is  "*"    Everyone gets directory service pages

 

Without a stop rule ability, would the Rule 3 break Rule 2 and give everyone the directory service pages? Or, would you be able to keep the integrity of Rule 2 and not allow these users access by giving the DAP policy higher priority?

If I recall correctly, then the user would get both bookmarks from Rule 2 AND Rule 3. If Rule 3 is the default rule (Default DAP policy), then it won't be hit unless none of the above rules match. 

 

This guide should explain the DAP aggregation bit in detail:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#t5

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: