Cisco Systems ASA5515K9, ASA 5500 Connection Profile Connection Parameters for SSL VPN Sessions

67-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter67 Configuring Connection Profiles, Group Policies, and Users

Connection Profiles

Note If you have a LAN-to-LAN configuration using IKE main mode, make sure that the two peers

have the same IKE keepalive configuration. Both peers must have IKE keepalives enabled or

both peers must have it disabled.

•If you configure authentication using digital certificates, you can specify whether to send the entire

certificate chain (which sends the peer the identity certificate and all issuing certificates) or just the

issuing certificates (including the root certificate and any subordinate CA certificates).

•You can notify users who are using outdated versions of Windows client software that they need to

update their client, and you can provide a mechanism for them to get the updated client version. For

VPN 3002 hardware client users, you can trigger an automatic update. You can configure and change

the client-update, either for all connection profiles or for particular connection profiles.

•If you configure authentication using digital certificates, you can specify the name of the trustpoint

that identifies the certificate to send to the IKE peer.

Connection Profile Connection Parameters for SSL VPN Sessions

Table67-1 provides a list of connection profile attributes that are specific to SSL VPN (AnyConnect

client and clientless) connections. In addition to these attributes, you configure general connection

profile attributes common to all VPN connections. For step-by-step information about configuring

connection profiles, see Configuring Connection Profiles for Clientless SSL VPN Sessions, page67-20.

Note In earlier releases, “connection profiles” were known as “tunnel groups.” You configure a connection

profile with tunnel-group commands. This chapter often uses these terms interchangeably.

Table67-1 Connection Profile Attributes for SSL VPN

Command Function

authentication Sets the authentication method, AAA or certificate.

customization Identifies the name of a previously defined customization to apply.

Customizations determine the appearance of the windows that the user

sees upon login. You configure the customization parameters as part of

configuring clientless SSL VPN.

nbns-server Identifies the name of the NetBIOS Name Service server (nbns-server) to

use for CIFS name resolution.

group-alias Specifies one or more alternate names by which the server can refer to a

connection profile. At login, the user selects the group name from a

dropdown menu.

group-url Identifies one or more group URLs. If you configure this attribute, users

coming in on a specified URL need not select a group at login.

dns-group Identifies the DNS server group that specifies the DNS server name,

domain name, name server, number of retries, and timeout values for a

DNS server to use for a connection profile.

hic-fail-group-policy Specifies a VPN feature policy if you use the Cisco Secure Desktop

Manager to set the Group-Based Policy attribute to “Use Failure

Group-Policy” or “Use Success Group-Policy, if criteria match.”