Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 69 General VPN Setup
Configuring AnyConnect Host Scan
• Enable inbound IPsec sessions to bypass interface access-lists. Group policy and per-user
authorization access lists still apply to the traffic—By default, the ASA allows VPN traffic to
terminate on an ASA interface; you do not need to allow IKE or ESP (or other types of VPN packets)
in an access rule. When this check box is checked, you also do not need an access rule for local IP
addresses of decrypted VPN packets. Because the VPN tunnel was terminated successfully using
VPN security mechanisms, this feature simplifies configuration and maximizes the ASA
performance without any security risks. (Group policy and per-user authorization access lists still
apply to the traffic.)
Configuring AnyConnect Host Scan
The AnyConnect Posture Module provides the AnyConnect Secure Mobility Client the ability to identify
the operating system, anti-virus, anti-spyware, and firewall software installed on the host. The Host Scan
application gathers this information.
Using the secure desktop manager tool in the Adaptive Security Device Manager (ASDM), you can
create a prelogin policy which evaluates the operating system, anti-virus, anti-spyware, and firewall
software Host Scan identifies. Based on the result of the prelogin policy’s evaluation, you can control
which hosts are allowed to create a remote access connection to the security appliance.
The Host Scan support chart contains the product name and version information for the anti-virus,
anti-spyware, and firewall applications you use in your prelogin policies. We deliver Host Scan and the
Host Scan support chart, as well as other components, in the Host Scan package.
Starting with AnyConnect Secure Mobility Client, release 3.0, Host Scan is available separately from
CSD. This means you can deploy Host Scan functionality without having to install CSD and you will be
able to update your Host Scan support charts by upgrading the latest Host Scan package.
Posture assessment and the AnyConnect telemetry module require Host Scan to be installed on the host.
This chapter contains the following sections:
• Host Scan Dependencies and System Requirements, page 69-124
• Host Scan Packaging, page 69-125
• Installing and Enabling Host Scan on the ASA, page 69-126
• Other Important Documentation Addressing Host Scan, page 69-130
Host Scan Dependencies and System Requirements
The AnyConnect Secure Mobility Client with the posture module requires these minimum ASA
• ASA 8.4
• ASDM 6.4
These AnyConnect features require that you install the posture module.
• SCEP authentication
• AnyConnect Telemetry Module