This is achieved by using the vpn-nac-exempt command followed by the operating system name and the ACL name to filter traffic. When both the inbound and outbound entries are configured, the next step is to apply this ACL either globally or to a specific group. It is destined to the Solaris VPN clients. It is sourced from the mainframe server with an IP address of 10.10.50.100. This ACL will allow all bidirectional traffic to pass through if In Example 7-26, an ACL called Solaris-ACL is being set up. For example, if you want only Solaris-based VPN clients to access an internal mainframe system, the exception list ACL should allow only traffic destined for the mainframe server in the ACL and should deny all other traffic. After the IPSec tunnel is negotiated, the VPN clients that are in the exception list can be subject to an ACL to restrict their activities on the network. This list excludes the configured operating systems to go through the posture-validation process. You can specify an exception list based on the reported version of the VPN client. #Configure ipsecuritas mac pix mac osDuring the tunnel-negotiation process, the VPN client reports its version information, such as Windows 2000, Windows XP, or Mac OS X, to name a few. However, Cisco CTA is currently supported only on Windows, Linux, and Mac OS X. NAC Configuration of User Group-Policy Parameters in ASDM Step 4: Configuring the NAC Exception ListĪ number of operating systems support the Cisco VPN client, including Solaris, Mac OS X, Windows, and Linux. To configure these parameters in ASDM, navigate to Configuration > VPN > General > Group Policy and click the NAC tab, as shown in Figure 7-5. To revalidate a specific host, you can use the eou revalidate ip command followed by the IP address of the host to be revalidated. Note - You can revalidate all the active NAC sessions by using the eou revalidate all command. Example 7-25 Enable NAC on a User Group-Policy CiscoASA(config)# group-policy SecureMeGrp attributesCiscoASA(config-group-policy)# nac enable This is shown in Example 7-25 for a user group-policy called SecureMeGrp. When all the parameters are set up, the last step is to enable NAC on the user group-policy. #Configure ipsecuritas mac pix updateThis is helpful when new antivirus patches are continuously updated on the servers and you want the VPN clients to update them as soon as they go through a new posture-validation process.Įxample 7-24 Status Query and Revalidation Timers CiscoASA(config)# group-policy SecureMeGrp attributesCiscoASA(config-group-policy)# nac-sq-period 600CiscoASA(config-group-policy)# nac-reval-period 18000 You can lower this timer to 18,000 seconds (5 hours) if your organization requires you to revalidate the VPN clients more often. The default timer is set to 36,000 seconds (10 hours). Revalidation timer-This timer initiates a complete posture-validation process on the remote-access VPN client. If this value is set too low, the security appliance will use a lot of system resources in sending status queries to the remote-access VPN clients. In Example 7-24, the status query timer is changed to 600 seconds, which is recommended if the number of concurrent sessions is high. The default status query timer is 300 seconds. Status query timer-This timer ensures that the security appliance periodically checks the posture state of the VPN client, in case it has changed from the last time.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |