Chapter 30 Configuring Connection Profiles, Group Policies, And Users; Overview Of Connection Profiles, Group Policies, And Users - Cisco PIX 500 Series Configuration Manual

Configuring Connection Profiles, Group Policies,
and Users
This chapter describes how to configure VPN connection profiles (formerly called "tunnel groups"),
group policies, and users. This chapter includes the following sections.
•
•
•
•
In summary, you first configure connection profiles to set the values for the connection. Then you
configure group policies. These set values for users in the aggregate. Then you configure users, which
can inherit values from groups and configure certain values on an individual user basis. This chapter
describes how and why to configure these entities.

Overview of Connection Profiles, Group Policies, and Users

Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in
configuring the security appliance. They specify attributes that determine user access to and use of the
VPN. A group is a collection of users treated as a single entity. Users get their attributes from group
policies. Connection profiles identify the group policy for a specific connection. If you do not assign a
particular group policy to a user, the default group policy for the connection applies.
Note You configure connection profiles using tunnel-group commands. In this chapter, the terms "connection
profile" and "tunnel group" are often used interchangeably.
Connection profiles and group policies simplify system management. To streamline the configuration
task, the security appliance provides a default LAN-to-LAN connection profile, a default remote access
connection profile, a default connection profile for clientless SSL VPN, and a default group policy
(DfltGrpPolicy). The default connection profiles and group policy provide settings that are likely to be
common for many users. As you add users, you can specify that they "inherit" parameters from a group
policy. Thus you can quickly configure VPN access for large numbers of users.
If you decide to grant identical rights to all VPN users, then you do not need to configure specific
connection profiles or group policies, but VPNs seldom work that way. For example, you might allow a
finance group to access one part of a private network, a customer support group to access another part,
OL-12172-03
Overview of Connection Profiles, Group Policies, and Users, page 30-1
Configuring Connection Profiles, page 30-6
Group Policies, page 30-33
Configuring User Attributes, page 30-73
C H A P T E R
Cisco Security Appliance Command Line Configuration Guide
30
30-1