Showing results for 
Search instead for 
Did you mean: 

How to restrict certain versions of the Cisco VPN Client from connecting to the VPN Concentrator



The VPN Concentrator can permit or deny VPN Clients according to their type and software version.

In order to use this feature, login to the VPN Concentrator and choose Configuration > User Management > Groups. Then select the group and go to the IPsec tab.

Construct the rules in this way:

For example:

If the administrator does not wish to specify the platform, use this rule instead:

Note: The * character is a wildcard. You can use it multiple times in each rule.

Use a separate line for each rule.

Order rules by priority. The first rule that matches is the rule that applies. If a later rule contradicts, the system ignores it. If you do not define any rules, all connections are permitted.

When a client matches none of the rules, the connection is denied. This means that if you define a deny rule, you must also define at least one permit rule, or all connections are denied.

For both software and hardware clients, the client type and software version must match (case sensitive) in their appearance in the Monitoring | Sessions window, including spaces. It is recommended that you copy and paste from that window to this one.

Use n/a for either the type or the version to identify information the client does not send. For example, permit n/a:n/a allows you to permit any client that does not send the client type and version.

You can use a total of 255 characters for rules. The newline between rules uses two characters. In order to conserve characters, use p for permit and d for deny. Eliminate spaces except as required for the client type and version. You do not need a space before or after the colon (:).

In order to restrict certain versions of the Cisco VPN Client from connecting to the PIX/Adaptive Security Appliance (ASA), refer Restrict Certain Cisco VPN Client Versions from Connecting to the VPN Concentrator/ASA/PIX


Content for Community-Ad