Connection Profiles - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Connection Profiles
and an MIS group to access other parts. In addition, you might allow specific users within MIS to access
systems that other MIS users cannot access. Connection profiles and group policies provide the
flexibility to do so securely.
The security appliance also includes the concept of object groups, which are a superset of network lists.
Note
Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs
rather than to group policies and connection profiles. For more information about using object groups,
see
The security appliance can apply attribute values from a variety of sources. It applies them according to
the following hierarchy:
1.
2.
3.
4.
5.
Therefore, DAP values for an attribute have a higher priority than those configured for a user, group
policy, or connection profile.
When you enable or disable an attribute for a DAP record, the security appliance applies that value and
enforces it. For example, when you disable HTTP proxy in dap webvpn mode, the security appliance
looks no further for a value. When you instead use the no value for the http-proxy command, the
attribute is not present in the DAP record, so the security appliance moves down to the AAA attribute in
the username, and if necessary, the group policy to find a value to apply. We recommend that you use
ASDM to configure DAP.
Connection Profiles
A connection profile consists of a set of records that determines tunnel connection policies. These
records identify the servers to which the tunnel user is authenticated, as well as the accounting servers,
if any, to which connection information is sent. They also identify a default group policy for the
connection, and they contain protocol-specific connection parameters. Connection profiles include a
small number of attributes that pertain to creating the tunnel itself. Connection profiles include a pointer
to a group policy that defines user-oriented attributes.
The security appliance provides the following default connection profiles: DefaultL2Lgroup for
LAN-to-LAN connections, DefaultRAgroup for remote access connections, and
DefaultWEBVPNGroup for clientless SSL VPN (browser-based) connections. You can modify these
default connection profiles, but you cannot delete them. You can also create one or more connection
profiles specific to your environment. Connection profiles are local to the security appliance and are not
configurable on external servers.
Connection profiles specify the following attributes:
•
•
•
Cisco Security Appliance Command Line Configuration Guide
30-2
Chapter 16, "Identifying Traffic with Access Lists."
Dynamic Access Policy (DAP) record
Username
Group policy
Group policy for the connection profile
Default group policy
General Connection Profile Connection Parameters, page 30-3
IPSec Tunnel-Group Connection Parameters, page 30-4
Connection Profile Connection Parameters for Clientless SSL VPN Sessions, page 30-5
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
