67-2
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Connection Profiles
and an MIS group to access other parts. In addition, you might allow specific users within MIS to access
systems that other MIS users cannot access. Connection profiles and group policies provide the
flexibility to do so securely.
Note The ASA also includes the concept of object groups, which are a superset of network lists. Object groups
let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group
policies and connection profiles. For more information about using object groups, see Chapter13,
“Configuring Objects.”
The security appliance can apply attribute values from a variety of sources. It applies them according to
the following hierarchy:
1. Dynamic Access Policy (DAP) record
2. Username
3. Group policy
4. Group policy for the connection profile
5. Default group policy
Therefore, DAP values for an attribute have a higher priority than those configured for a user, group
policy, or connection profile.
When you enable or disable an attribute for a DAP record, the ASA applies that value and enforces it.
For example, when you disable HTTP proxy in dap webvpn mode, the security appliance looks no further
for a value. When you instead use the no value for the http-proxy command, the attribute is not present
in the DAP record, so the security appliance moves down to the AAA attribute in the username, and if
necessary, the group policy to find a value to apply. The ASA clientless SSL VPN configuration supports
only one http-proxy and one https-proxy command each. We recommend that you use ASDM to
configure DAP.
Connection Profiles
A connection profile consists of a set of records that determines tunnel connection policies. These
records identify the servers to which the tunnel user is authenticated, as well as the accounting servers,
if any, to which connection information is sent. They also identify a default group policy for the
connection, and they contain protocol-specific connection parameters. Connection profiles include a
small number of attributes that pertain to creating the tunnel itself. Connection profiles include a pointer
to a group policy that defines user-oriented attributes.
The ASA provides the following default connection profiles: DefaultL2Lgroup for LAN-to-LAN
connections, DefaultRAgroup for remote access connections, and DefaultWEBVPNGroup for SSL VPN
(browser-based) connections. You can modify these default connection profiles, but you cannot delete
them. You can also create one or more connection profiles specific to your environment. Connection
profiles are local to the ASA and are not configurable on external servers.
Connection profiles specify the following attributes:
General Connection Profile Connection Parameters, page67-3
IPsec Tunnel-Group Connection Parameters, page67-4
Connection Profile Connection Parameters for SSL VPN Sessions, page67-5