The VPN Concentrator can permit or deny VPN Clients according to their type and software version.
In order to use this feature, login to the VPN Concentrator and choose Configuration > User Management > Groups. Then select the group and go to the IPsec tab.
Construct the rules in this way:
If the administrator does not wish to specify the platform, use this rule instead:
Note: The * character is a wildcard. You can use it multiple times in each rule.
Use a separate line for each rule.
Order rules by priority. The first rule that matches is the rule that applies. If a later rule contradicts, the system ignores it. If you do not define any rules, all connections are permitted.
When a client matches none of the rules, the connection is denied. This means that if you define a deny rule, you must also define at least one permit rule, or all connections are denied.
For both software and hardware clients, the client type and software version must match (case sensitive) in their appearance in the Monitoring | Sessions window, including spaces. It is recommended that you copy and paste from that window to this one.
Use n/a for either the type or the version to identify information the client does not send. For example, permit n/a:n/a allows you to permit any client that does not send the client type and version.
You can use a total of 255 characters for rules. The newline between rules uses two characters. In order to conserve characters, use p for permit and d for deny. Eliminate spaces except as required for the client type and version. You do not need a space before or after the colon (:).
Dear All , I am sorry if this was asked before. I have an ASA 5505 currently running an EASYVPN tunnel behind a dynamic IP service with double NAT ( and having the ASA at the ISP router is not possible BUT they added the ASA on DMZ s...
Hi, i am using this FlexVPN "Hub to Spoke" configuration for my home lab hub router its using Keyring pre-shared key, and AAA is done locally. This work fine when the client is a router. However I want to modify this so that remote clients ...
Hi Experts,We're running ISE 2.6 with Patch 8 installed. AnyConnect is 4.8 and the Compliance Module is 4.3.X. I've been asked to configure a New AV Posture policy Definition check for Windows Defender. Name: AV_Def_5daysCompliance Module: 4.X ...
Hi We have about 1000 sites connected to a hub siteThe setup is DMVPN. And we are using Get VPN upon thisWe are using Cisco 898 with 2 links [local loop and 3G] for each branch We have a problem that suddenly most of our branches are facing a ne...