Cisco FirePOWER ASA 5500 series Configuration Manual page 628
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring User Attributes
hostname(config)# username anyuser attributes
hostname(config-username)# vpn-framed-ip-address 10.92.166.7
hostname(config-username)
Specify the network mask to use with the IP address specified in the previous step. If you used the
no vpn-framed-ip-address command, do not specify a network mask. To remove the subnet mask, enter
the no form of this command. There is no default behavior or value.
hostname(config-username)# vpn-framed-ip-netmask {netmask}
hostname(config-username)# no vpn-framed-ip-netmask
hostname(config-username)
The following example shows how to set a subnet mask of 255.255.255. 254 for a user named anyuser:
hostname(config)# username anyuser attributes
hostname(config-username)# vpn-framed-ip-netmask 255.255.255.254
hostname(config-username)
Specifying the Tunnel Protocol
Specify the VPN tunnel types (IPSec or WebVPN) that this user can use. The default is taken from the
default group policy, the default for which is IPSec. To remove the attribute from the running
configuration, enter the no form of this command.
hostname(config-username)# vpn-tunnel-protocol {webvpn | IPSec}
hostname(config-username)# no vpn-tunnel-protocol [webvpn | IPSec]
hostname(config-username)
The parameter values for this command are as follows:
•
•
Enter this command to configure one or more tunneling modes. You must configure at least one tunneling
mode for users to connect over a VPN tunnel.
The following example shows how to configure WebVPN and IPSec tunneling modes for the user named
anyuser:
hostname(config)# username anyuser attributes
hostname(config-username)# vpn-tunnel-protocol webvpn
hostname(config-username)# vpn-tunnel-protocol IPSec
hostname(config-username)
Restricting Remote User Access
Configure the group-lock attribute with the value keyword to restrict remote users to access only
through the specified, preexisting tunnel group. Group-lock restricts users by checking whether the
group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is
not, the security appliance prevents the user from connecting. If you do not configure group-lock, the
security appliance authenticates users without regard to the assigned group.
To remove the group-lock attribute from the running configuration, enter the no form of this command.
This option allows inheritance of a value from the group policy. To disable group-lock, and to prevent
inheriting a group-lock value from a default or specified group policy, enter the group-lock command
with the none keyword.
Cisco Security Appliance Command Line Configuration Guide
30-74
IPSec—Negotiates an IPSec tunnel between two peers (a remote access client or another secure
gateway). Creates security associations that govern authentication, encryption, encapsulation, and
key management.
webvpn—Provides VPN services to remote users via an HTTPS-enabled web browser, and does not
require a client
Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
