Cisco ASA Series Cli Configuration Manual page 1692

Group Policies
hostname(config-group-policy)#
The netmask variable provides the subnet mask for the tunnel IP address. The no form of this command
removes the DHCP intercept from the configuration:
[no] intercept-dhcp
The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# intercept-dhcp enable
Setting Up a Split Exclusion Policy for Web Security
Information about Cloud Web Security
The AnyConnect Web Security module is an endpoint component that routes HTTP traffic to a Cisco
Cloud Web Security scanning proxy where Cisco Cloud Web Security evaluates it. Cisco Cloud Web
Security deconstructs the elements of a Web page so that it can analyze each element simultaneously. It
blocks potentially harmful content and allows benign content to come through.
With many Cisco Cloud Web Security scanning proxies spread around the world, users taking advantage
of AnyConnect Web Security are able to route their traffic to the Cisco Cloud Web Security scanning
proxy with the fastest response time to minimize latency.
When a user has established a VPN session, all network traffic is sent through the VPN tunnel. However,
when AnyConnect users are using web security, the HTTP traffic originating at the endpoint needs to be
excluded from the tunnel and sent directly to the Cloud Web Security scanning proxy.
To set up the split tunnel exclusions for traffic meant for the Cloud Web Security scanning proxy, use
the Set up split exclusion for Web Security button in a group policy.
Prerequisites
•
•
•
Detailed Steps
Step 1
Start an ASDM session for the head end you want to configure and select Remote Access VPN >
Configuration > Group Policies.
Step 2
Select the Group Policy you want to configure and click Edit.
Step 3
Select Advanced > Split Tunneling.
Step 4
Click Set up split exclusion for Web Security.
Step 5
Enter a new, or select an existing, access list used for Web Security split exclusion. ASDM will set up
the access list for use in the network list.
Step 6
Click Create Access List for a new list or Update Access List for an existing list.
Cisco ASA Series CLI Configuration Guide
1-58
You need to have access to the ASA using ASDM. This procedure cannot be performed using the
command line interface.
Web security needs to be configured for use with the AnyConnect client. See
Security in the AnyConnect Secure Mobility Client Administrator Guide.
You have created a Group Policy and assigned it a Connection Profile for AnyConnect clients
configured with Web Security.
Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Configuring Web