1-74
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Group Policies
Configuring VPN Client Firewall Policies
A
firewall
isolates and protects a computer from the Internet by inspecting each inbound and outbound
packet of data to determine whether to allow it through the firewall or to drop it. Firewalls provide extra
security if remote users in a group have split tunneling configured. In this case, the firewall protects the
user’s computer, and thereby the corporate network, from intrusions by way of the Internet or the user’s
local LAN. Remote users connecting to the ASA with the VPN client can choose the appropriate firewall
option.
Set personal firewall policies that the ASA pushes to the VPN client during IKE tunnel negotiation by
using the
client-firewall
command in group-policy configuration mode. To delete a firewall policy, enter
the
no
form of this command.
To delete all firewall policies, enter the
no client-firewall
command without arguments. This command
deletes all configured firewall policies, including a null policy if you created one by entering the
client-firewall
command with the
none
keyword.
When there are no firewall policies, users inherit any that exist in the default or other group policy. To
prevent users from inheriting such firewall policies, enter the
client-firewall
command with the
none
keyword.
The Add or Edit Group Policy dialog box on the Client Firewall tab, lets you configure firewall settings
for VPN clients for the group policy being added or modified.
Note
Only VPN clients running Microsoft Windows can use these firewall features. They are currently not
available to hardware clients or other (non-Windows) software clients.
In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces
firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If
the firewall stops running, the VPN client drops the connection to the ASA. (This firewall enforcement
mechanism is called
Are You There (AYT)
, because the VPN client monitors the firewall by sending it
periodic “are you there?” messages; if no reply comes, the VPN client knows the firewall is down and
terminates its connection to the ASA.) The network administrator might configure these PC firewalls
originally, but with this approach, each user can customize his or her own configuration.
In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls
on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using
split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the
Internet while tunnels are established. This firewall scenario is called
push policy
or
Central Protection
Policy (CPP)
. On the ASA, you create a set of traffic management rules to enforce on the VPN client,
associate those rules with a filter, and designate that filter as the firewall policy. The ASA pushes this
policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which
enforces it.
Configuring AnyConnect Client Firewall Policies
Fiewall rules for the AnyConnect client can specify IPv4 and IPv6 addresses.
Summary of Contents for 5505 - ASA Firewall Edition Bundle
Page 28: ...Glossary GL 24 Cisco ASA Series CLI Configuration Guide ...
Page 61: ...P A R T 1 Getting Started with the ASA ...
Page 62: ......
Page 219: ...P A R T 2 Configuring High Availability and Scalability ...
Page 220: ......
Page 403: ...P A R T 2 Configuring Interfaces ...
Page 404: ......
Page 499: ...P A R T 2 Configuring Basic Settings ...
Page 500: ......
Page 533: ...P A R T 2 Configuring Objects and Access Lists ...
Page 534: ......
Page 601: ...P A R T 2 Configuring IP Routing ...
Page 602: ......
Page 745: ...P A R T 2 Configuring Network Address Translation ...
Page 746: ......
Page 845: ...P A R T 2 Configuring AAA Servers and the Local Database ...
Page 846: ......
Page 981: ...P A R T 2 Configuring Access Control ...
Page 982: ......
Page 1061: ...P A R T 2 Configuring Service Policies Using the Modular Policy Framework ...
Page 1062: ......
Page 1093: ...P A R T 2 Configuring Application Inspection ...
Page 1094: ......
Page 1191: ...P A R T 2 Configuring Unified Communications ...
Page 1192: ......
Page 1333: ...P A R T 2 Configuring Connection Settings and QoS ...
Page 1334: ......
Page 1379: ...P A R T 2 Configuring Advanced Network Protection ...
Page 1380: ......
Page 1475: ...P A R T 2 Configuring Modules ...
Page 1476: ......
Page 1549: ...P A R T 2 Configuring VPN ...
Page 1550: ......
Page 1965: ...P A R T 2 Configuring Logging SNMP and Smart Call Home ...
Page 1966: ......
Page 2059: ...P A R T 2 System Administration ...
Page 2060: ......
Page 2098: ...1 8 Cisco ASA Series CLI Configuration Guide Chapter 1 Troubleshooting Viewing the Coredump ...
Page 2099: ...P A R T 2 Reference ...
Page 2100: ......