This document provides a sample configuration for how to restrict
certain versions of the Cisco VPN Client from connecting to the VPN
Concentrator or Security Appliances such as PIX and ASA.
There are no specific requirements for this document.
The information in this document is based on these software and
Cisco VPN - 3000 Series Concentrator with 4.x
Cisco VPN Client with 4.x Version and later
Cisco ASA 5500 Series with Version 7.x and later
Cisco PIX 500 Series with Version 7.x and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
The VPN Concentrator can permit or deny VPN Clients by their type and
In order to use this feature, login to the VPN Concentrator and choose
Configuration > User Management > Groups. Then choose
the group and go to the IPsec tab.
Construct the rules in this way:
deny *:3.6*—Denies all VPN Clients that run Software Version
d VPN CLIENT : 4.6*—Prevents users with VPN Client Version 4.6 to be
able to establish the VPN connection to the VPN Concentrator
p windows : 4.8*—Allows only Version 4.8 to
p * : 4.8*—Permits any platform that runs any Version of
If the administrator does not wish to specify the platform, use this
p *: 4.8*
Note: The * character is a wildcard. You can use it multiple times in each
Use a separate line for each rule.
Order rules by priority. The first rule that matches is the rule that
applies. If a later rule contradicts it, the system ignores it. If you do not
define any rules, all connections are permitted.
When a client matches none of the rules, the connection is denied.
This means that, if you define a deny rule, you must also define at least one
permit rule, or all connections are denied.
For both software and hardware clients, the client type and software
version must match (case sensitive) in their appearance in the Monitoring |
Sessions window, which includes spaces. It is recommended that you copy and
paste from that window to this one.
Use n/a for either the type or version to identify information that
the client does not send. For example, permit n/a:n/a allows you to permit any
client that does not send the client type and version.
You can use a total of 255 characters for rules. The newline between
rules uses two characters. In order to conserve characters, use p for permit
and d for deny. Eliminate spaces except as required for the client type and
version. You do not need a space before or after the colon (:).
In order to configure rules that limit the remote access client types
and versions that can connect through IPsec and the security appliance, issue
the client-access-rule command in group-policy
configuration mode. In order to delete a rule, issue the no
form of this command.
This example shows how to create client access rules for the group
policy named FirstGroup. These rules permit VPN Clients that run Software
Version 4.1, while deny all VPN 3002 hardware clients:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# client-access-rule 1 d t VPN3002 v *
hostname(config-group-policy)# client-access-rule 2 p * v 4.1
When you construct rules, refer to these guidelines:
If you do not define any rules, the security appliance permits all
When a client matches none of the rules, the security appliance
denies the connection. If you define a deny rule, you must also define at least
one permit rule, or the security appliance denies all connections.
For both software and hardware clients, type and version must match
their appearance exactly in the show vpn-sessiondb remote display.
The * character is a wildcard, which you can use multiple times in
each rule. For example, client-access-rule 3 deny type * version 3.* creates a
priority 3 client access rule that denies all client types that run Version 3.x
You can construct a maximum of 25 rules per group policy.
There is a limit of 255 characters for an entire set of rules.
You can use n/a for clients that do not send client type or version.
Note: In order to restrict MAC OS VPN Client, use the syntax
"Mac OS X" for the platform type to match Mac