Cisco ASA 5505 Configuration Manual page 1322

Group Policies
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Adding or Editing a Site-to-Site Internal Group Policy
The Add or Edit Group Policy dialog box lets you specify tunneling protocols, filters, connection
settings, and servers for the group policy being added or modified. For each of the fields in this dialog
box, checking the Inherit check box lets the corresponding setting take its value from the default group
policy. Inherit is the default value for all of the attributes on this dialog box.
Fields
The following attributes appear in the Add Internal Group Policy > General dialog box. They apply to
SSL VPN and IPsec sessions, or clientless SSL VPN sessions. Thus, several are present for one type of
session, but not the other.
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
64-12
Homepage URL (optional)—To specify a homepage URL for users associated with the group policy,
enter it in this field. The string must begin with either http:// or https://. To inherit a home page from
the default group policy, click Inherit. Clientless users are immediately brought to this page after
successful authentication. AnyConnect launches the default web browser to this URL upon
successful establishment of the VPN connection. On Linux platforms, AnyConnect does not
currently support this field and ignores it.
Access Deny Message—To create a message to users for whom access is denied, enter it in this field.
To accept the message in the default group policy, click Inherit.
Security Context
Transparent Single
—
•
Name—Specifies the name of this group policy. For the Edit function, this field is read-only.
Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only
the selected protocols. The choices are as follows:
Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to
–
establish a secure remote-access tunnel to a adaptive security appliance; requires neither a
software nor hardware client. Clientless SSL VPN can provide easy access to a broad range of
enterprise resources, including corporate websites, web-enabled applications, NT/AD file share
(web-enabled), e-mail, and other TCP-based applications from almost any computer that can
reach HTTPS Internet sites.
SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL
–
VPN client.
IPsec—IP Security Protocol. Regarded as the most secure protocol, IPsec provides the most
–
complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and
client-to-LAN connections can use IPsec.
L2TP/IPsec—Allows remote users with VPN clients provided with several common PC
–
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPsec transport mode.
Multiple
Context System
— —
Chapter 64 General VPN Setup
OL-20339-01