C H A P T E R 30 Configuring Tunnel Groups, Group Policies, And Users - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Tunnel Groups
The security appliance also includes the concept of object groups, which are a superset of network lists.
Note
Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs
rather than to group policies and tunnel groups. For more information about using object groups, see
Chapter 16, "Identifying Traffic with Access Lists."
Tunnel Groups
A tunnel group consists of a set of records that determines tunnel connection policies. These records
identify the servers to which the tunnel user is authenticated, as well as the accounting servers, if any, to
which connection information is sent. They also identify a default group policy for the connection, and
they contain protocol-specific connection parameters. Tunnel groups include a small number of
attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that
defines user-oriented attributes.
The security appliance provides the following default tunnel groups: DefaultL2Lgroup for LAN-to-LAN
connections, DefaultRAgroup for remote access connections, and DefaultWEBVPNGroup for WebVPN
connections. You can modify these default tunnel groups, but you cannot delete them. You can also
create one or more tunnel groups specific to your environment. Tunnel groups are local to the security
appliance and are not configurable on external servers.
Tunnel groups specify the following attributes:
•
•
•
General Tunnel-Group Connection Parameters
General parameters are common to both IPSec and WebVPN connections. The general parameters
include the following:
•
•
•
Cisco Security Appliance Command Line Configuration Guide
30-2
General Tunnel-Group Connection Parameters, page 30-2
IPSec Tunnel-Group Connection Parameters, page 30-3
WebVPN Tunnel-Group Connection Parameters, page 30-4
Tunnel group name—You specify a tunnel-group name when you add or edit a tunnel group. The
following considerations apply:
For clients that use preshared keys to authenticate, the tunnel group name is the same as the
–
group name that an IPSec client passes to the security appliance.
Clients that use certificates to authenticate pass this name as part of the certificate, and the
–
security appliance extracts the name from the certificate.
Connection type—Connection types include IPSec remote access, IPSec LAN-to-LAN, and
WebVPN. A tunnel group can have only one connection type.
Authentication, Authorization, and Accounting servers—These parameters identify the server
groups or lists that the security appliance uses for the following purposes:
Authenticating users
–
Obtaining information about services users are authorized to access
–
Storing accounting records
–
A server group can consist of one or more servers.
Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
