Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
The following example shows how to set a VPN session timeout of 180 minutes for the group policy
named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-session-timeout 180
hostname(config-group-policy)#
Specify the name of the ACL to use for VPN connections, using the vpn-filter command in group policy
Step 5
mode. (You can also configure this attribute in username mode, in which case the value configured under
username supersedes the group-policy value.)
hostname(config-group-policy)# vpn-filter {value ACL name | none}
hostname(config-group-policy)#
You configure ACLs to permit or deny various types of traffic for this group policy. You then enter the
vpn-filter command to apply those ACLs.
To remove the ACL, including a null value created by entering the vpn-filter none command, enter the
no form of this command. The no option allows inheritance of a value from another group policy.
A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the
none keyword instead of specifying an ACL name. The none keyword indicates that there is no access
list and sets a null value, thereby disallowing an access list.
The following example shows how to set a filter that invokes an access list named acl_vpn for the group
policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-filter acl_vpn
hostname(config-group-policy)#
Specify the VPN tunnel type (IPSec or WebVPN) for this group policy.
Step 6
hostname(config-group-policy)# vpn-tunnel-protocol {webvpn | IPSec | l2tp-ipsec}
hostname(config-group-policy)#
The default is IPSec. To remove the attribute from the running configuration, enter the no form of this
command.
hostname(config-group-policy)# no vpn-tunnel-protocol [webvpn | IPSec | l2tp-ipsec]
hostname(config-group-policy)#
The parameter values for this command follow:
IPSec—Negotiates an IPSec tunnel between two peers (a remote access client or another secure
•
gateway). Creates security associations that govern authentication, encryption, encapsulation, and
key management.
webvpn—Provides VPN services to remote users via an HTTPS-enabled web browser, and does not
•
require a client.
l2tp-ipsec—Negotiates an IPSec tunnel for an L2TP connection
•
Enter this command to configure one or more tunneling modes. You must configure at least one tunneling
mode for users to connect over a VPN tunnel.
The following example shows how to configure the IPSec tunneling mode for the group policy named
FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-tunnel-protocol IPSec
hostname(config-group-policy)#
OL-10088-01
Cisco Security Appliance Command Line Configuration Guide
Group Policies
30-37