Filter
Top Products
36-2
Cisco ASDM User Guide
OL-16647-01
Chapter 36 Configuring Dynamic Access Policies
Understanding VPN Access Policies
• DfltAccess Policy—Always the last entry in the DAP summary table, always with a priority of 0.
You can configure Access Policy attributes for the default access policy, but it does not contain—and
you cannot configure—AAA or endpoint attributes. You cannot delete the DfltAccessPolicy, and it
must be the last entry in the summary table.
For more information about Dynamic Access Policies, click the following links:
• DAP Support for Remote Access Connection Types
• DAP and AAA
• DAP and Endpoint Security
• DAP Connection Sequence
• Test Dynamic Access Policies
• DAP Examples
Configuring Dynamic Access Policies
To configure dynamic access policies, in the Configuration > Remote Access VPN > Network (Client)
Access or Clientless SSL VPN Access > Dynamic Access Policies pane in ASDM, perform the following
steps:
Step 1 To include certain antivirus, antispy, or personal firewall endpoint attributes, click the CSD configuration
link near the top of the pane. Then enable Cisco Secure Desktop and Host Scan extensions. This link
does not display if you have previously enabled both of these features.
If you enable Cisco Secure Desktop, but do not enable Host Scan extensions, when you apply your
changes ASDM includes a link to enable Host Scan configuration.
Step 2 To create a new dynamic access policy, click Add. To modify an existing policy, click Edit.
Step 3 To test already configured polices, click Test Dynamic Access Policies.
Fields
• Priority—Displays the priority of the DAP record. The security appliance uses this value to logically
sequence the access lists when aggregating the network and web-type ACLs from multiple DAP
records. The security appliance orders the records from highest to lowest priority number, with
lowest at the bottom of the table. Higher numbers have a higher priority, that is a DAP record with
a value of 4 has a higher priority than a record with a value of 2. You cannot manually sort them.
• Name—Displays the name of the DAP record.
• Network ACL List—Displays the name of the firewall access list that applies to the session.
• Web-Type ACL List—Displays the name of the SSL VPN access list that applies to the session.
• Description—Describes the purpose of the DAP record.
• Test Dynamic Access Policies button—Click to test already configured DAP records.
Modes
The following table shows the modes in which this feature is available: