Connection Profile, Prelogin Policies, DAPs, Host Scan and VPNs order of operations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2015 09:01 PM
- Labels:
-
VPN

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2015 09:26 PM
Hi Douglas ,
If nothing matches are the default connection profiles then used?
Yes , if there is not a URL/alias or matching method ( AAA assignment , certificate mapping , etc) the connection falls into the default tunnel-group.
It seems as though ALL VPN users use the same prelogin policy map, is this correct?
The pre-login policy is configured under a DAP rule , everytime a user attempts to authenticate the ASA checks all the DAPs rules and put the user into the ones they match based on the DAP requirements.
Does the 'accept' NEED to be referenced in another other component of the ASA or is referencing the 'accept' optional?
If the user does not pass the pre-login policy won't be able to go further , if they pass the pre-login policy then the other rules are checked.
So if we are checking for AVAS software to be present and its not then will it automatically be denied or do we need to setup a DAP to take action?
Normally on the DAP configuration, is a default DAP rule that have as action terminate , if the user does not match any DAP rule, falls into this policy and the connection is closed.
I also wonder why in the ASDM there is a spot to upload/activate (Setup) 'Secure Desktop Manager' but then there is 'Host Scan Image' section that I used to activate 'Host Scan'?
Secure desktop was used with the predecessor of hostscan ( CSD) and most of their components are already depreciated. At this point only hostscan is supported , if you upgrade your ASDM most likely that option will not appear any longer.
hope it helps
-Randy-
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2015 10:56 PM
Hi Randy,
Thanks for the input! I just want to clarify one of the questions/answers.
Q2: It seems as though ALL VPN users use the same prelogin policy map, is this correct?
A2: The pre-login policy is configured under a DAP rule , everytime a user attempts to authenticate the ASA checks all the DAPs rules and put the user into the ones they match based on the DAP requirements.
Followup2: Let me rephrase... If we check for IP address in the 192.168.10.0/24 network in the decision tree of the prelogin policy then whom ever connects will be checked for that network as well?
