Cisco Systems ASA5515K9, ASA 5500

67-44

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter67 Configuring Connection Profiles, Group Policies, and Users

Group Policies

The following example shows how to set the vpn-session-timeout alert-interval so that users will

be notified 20 minutes before their VPN session is disconnected. You can specify a range of 1-30

minutes.

hostname(config-webvpn)# vpn-session-timeout alert-interval 20

The none parameter of the command indicates that users will not receive an alert.

The no form of the command: no vpn-session-timeout alert-interval

indicates that the VPN session timeout alert-interval attribute will be inherited from the Default Group

Policy.

Step7 Choose one of the following options to specify an egress VLAN (also called “VLAN mapping”) for

remote access or specify an ACL to filter the traffic:

•Enter the following command in group-policy configuration mode to specify the egress VLAN for

remote access VPN sessions assigned to this group policy or to a group policy that inherits this group

policy:

hostname(config-group-policy)# [no] vlan {vlan_id |none}

no vlan removes the vlan_id from the group policy. The group policy inherits the vlan value from

the default group policy.

vlan none removes the vlan_id from the group policy and disables VLAN mapping for this group

policy. The group policy does not inherit the vlan value from the default group policy.

vlan_id in the command vlan vlan_id is the number of the VLAN, in decimal format, to assign to

remote access VPN sessions that use this group policy. The VLAN must be configured on this ASA

per the instructions in the “Configuring VLAN Subinterfaces and 802.1Q Trunking” section on

page 6-30.

none disables the assignment of a VLAN to the remote access VPN sessions that match this group

policy.

Note The egress VLAN feature works for HTTP connections, but not for FTP and CIFS.

•Specify the name of the ACL to apply to VPN session, using the vpn-filter command in group policy

mode. (You can also configure this attribute in username mode, in which case the value configured

under username supersedes the group-policy value.)

hostname(config-group-policy)# vpn-filter {value ACL name | none}

hostname(config-group-policy)#

You configure ACLs to permit or deny various types of traffic for this group policy. You then enter

the vpn-filter command to apply those ACLs.

To remove the ACL, including a null value created by entering the vpn-filter none command, enter

the no form of this command. The no option allows inheritance of a value from another group policy.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter

the none keyword instead of specifying an ACL name. The none keyword indicates that there is no

access list and sets a null value, thereby disallowing an access list.

The following example shows how to set a filter that invokes an access list named acl_vpn for the

group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes

hostname(config-group-policy)# vpn-filter acl_vpn

hostname(config-group-policy)#