Filter
Top Products
35-30
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
ACL Manager
Note If you require a firewall for a group, make sure the group does not include any clients other than
Windows VPN clients. Any other clients in the group (including ASA 5505 in client mode and
VPN 3002 hardware clients) are unable to connect.
If you have remote users in this group who do not yet have firewall capacity, choose Firewall
Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have
a firewall can use it; users that connect without a firewall receive a warning message. This setting is
useful if you are creating a group in which some users have firewall support and others do not—for
example, you may have a group that is in gradual transition, in which some members have set up
firewall capacity and others have not yet done so.
• Firewall Type—Lists firewalls from several vendors, including Cisco. If you select Custom Firewall,
the fields under Custom Firewall become active. The firewall you designate must correlate with the
firewall policies available. The specific firewall you configure determines which firewall policy
options are supported.
• Custom Firewall—Specifies the vendor ID, Product ID and description for the custom firewall.
–
Vendor ID—Specifies the vendor of the custom firewall for this group policy.
–
Product ID—Specifies the product or model name of the custom firewall being configured for
this group policy.
–
Description—(Optional) Describes the custom firewall.
• Firewall Policy—Specifies the type and source for the custom firewall policy.
–
Policy defined by remote firewall (AYT)—Specifies that the firewall policy is defined by the
remote firewall (Are You There). Policy defined by remote firewall (AYT) means that remote
users in this group have firewalls located on their PCs. The local firewall enforces the firewall
policy on the VPN client. The security appliance allows VPN clients in this group to connect
only if they have the designated firewall installed and running. If the designated firewall is not
running, the connection fails. Once the connection is established, the VPN client polls the
firewall every 30 seconds to make sure that it is still running. If the firewall stops running, the
VPN client ends the session.
–
Policy pushed (CPP)—Specifies that the policy is pushed from the peer. If you select this
option, the Inbound Traffic Policy and Outbound Traffic Policy lists and the Manage button
become active.The security appliance enforces on the VPN clients in this group the traffic
management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down
menu. The choices available on the menu are filters defined on this security appliance, including
the default filters. Keep in mind that the security appliance pushes these rules down to the VPN
client, so you should create and define these rules relative to the VPN client, not the security
appliance. For example, “in” and “out” refer to traffic coming into the VPN client or going
outbound from the VPN client. If the VPN client also has a local firewall, the policy pushed
from the security appliance works with the policy of the local firewall. Any packet that is
blocked by the rules of either firewall is dropped.
–
Inbound Traffic Policy—Lists the available push policies for inbound traffic.
–
Outbound Traffic Policy—Lists the available push policies for outbound traffic.
–
Manage—Displays the ACL Manager window, on which you can configure Access Control
Lists (ACLs).
Modes
The following table shows the modes in which this feature is available: