Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Group Policies

69-5

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

Group Policies

Group Policies

The Group Policies pane lets you manage VPN group policies. A VPN group policy is a collection of

user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS or

LDAP server. Configuring the VPN group policy lets users inherit attributes that you have not configured

at the individual group or username level. By default, VPN users have no group policy association. The

group policy information is used by VPN tunnel groups and user accounts.

The “child” panes and dialog boxes let you configure the group parameters, including those for the

default group. The default group parameters are those that are most likely to be common across all

groups and users, and they streamline the configuration task. Groups can “inherit” parameters from this

default group, and users can “inherit” parameters from their group or the default group. You can override

these parameters as you configure groups and users.

You can configure either an internal or an external group policy. An internal group policy is stored

locally, and an external group policy is stored externally on a RADIUS or LDAP server. Clicking Edit

opens a similar dialog box on which you can create a new group policy or modify an existing one.

In these dialog boxes, you configure the following kinds of parameters:

•General attributes: Name, banner, address pools, protocols, filtering, and connection settings.

•Servers: DNS and WINS servers, DHCP scope, and default domain name.

•Advanced attributes: Split tunneling, IE browser proxy, SSL VPN client and AnyConnect client, and

IPsec client.

Before configuring these parameters, you should configure:

•Access hours.

•Rules and filters.

•IPsec Security Associations.

•Network lists for filtering and split tunneling

•User authentication servers, and specifically the internal authentication server.

Fields

•Group Policy—Lists the currently configured group policies and Add, Edit, and Delete buttons to

help you manage VPN group policies.

–

Name—Lists the name of the currently configured group policies.

–

Banner—Allows you to attach a VPN flag or banner.

–

Type—Lists the type of each currently configured group policy.

–

Tunneling Protocol—Lists the tunneling protocol that each currently configured group policy

uses.

–

AAA Server Group—Lists the AAA server group, if any, to which each currently configured

group policy pertains.

–

Add—Offers a drop-down menu on which you can select whether to add an internal or an

external group policy. If you simply click Add, then by default, you create an internal group

policy. Clicking Add opens the Add Internal Group Policy dialog box or the Add External

Group Policy dialog box, which let you add a new group policy to the list. This dialog box

includes three menu sections. Click each menu item to display its parameters. As you move

from item to item, ASDM retains your settings. When you have finished setting parameters on

Cisco Systems Group Policies

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505