Cisco Security Appliance Command Line Configuration Guide, Version 7.0 - Configuring Tunnel Groups, Group Policies, and Users [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Configuring Tunnel Groups, Group Policies, and Users

Overview of Tunnel Groups, Group Policies, and Users

Tunnel Groups

General Tunnel Group Parameters

IPSec Connection Parameters

Configuring Tunnel Groups

Default Remote Access Tunnel Group Configuration

Configuring Remote-Access Tunnel Groups

Specify a Name and Type for the Remote-Access Tunnel Group

Configure Remote-Access Tunnel Group General Attributes

Configure Remote-Access Tunnel Group IPSec Attributes

Default LAN-to-LAN Tunnel Group Configuration

Configuring LAN-to-LAN Tunnel Groups

Specify a Name and Type for the LAN-to-LAN Tunnel Group

Configure LAN-to-LAN Tunnel Group General Attributes

Configure LAN-to-LAN IPSec Attributes

Group Policies

Default Group Policy

Configuring Group Policies

Configuring Users

Viewing the Username Configuration

Configuring Specific Users

Setting a User Password and Privilege Level

Configuring User Attributes

Configuring Tunnel Groups, Group Policies, and Users

This chapter describes how to configure VPN tunnel groups, group policies, and users. This chapter includes the following sections.

•Overview of Tunnel Groups, Group Policies, and Users

•Configuring Tunnel Groups

•Group Policies

•Configuring Users

In summary, you first configure tunnel groups to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure these entities.

Overview of Tunnel Groups, Group Policies, and Users

Groups and users are core concepts in managing the security of virtual private networks (VPNs) and in configuring the security appliance. They specify attributes that determine user access to and use of the VPN. A group is a collection of users treated as a single entity. Users get their attributes from group policies. Tunnel groups identify the group policy for a specific connection. If you do not assign a particular group policy to a user, the default group policy for the connection applies.

Tunnel groups and group policies simplify system management. To streamline the configuration task, the security appliance provides a default LAN-to-LAN tunnel group (DefaultL2Lgroup), a default remote access tunnel group (DefaultRAgroup), and a default group policy (DfltGrpPolicy). The default tunnel groups and group policy provide settings that are likely to be common for many users. As you add users, you can specify that they "inherit" parameters from a group policy. Thus you can quickly configure VPN access for large numbers of users.

If you decide to grant identical rights to all VPN users, then you do not need to configure specific tunnel groups or group policies, but VPNs seldom work that way. For example, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. Tunnel groups and group policies provide the flexibility to do so securely.

Note The security appliance also includes the concept of object groups, which are a superset of network lists. Object groups let you define VPN access to ports as well as networks. Object groups relate to ACLs rather than to group policies and tunnel groups. For more information about using object groups, see Chapter 13, "Identifying Traffic with Access Lists."

Tunnel Groups

A tunnel group consists of a set of records that contain tunnel connection policies. Tunnel groups contain a small number of attributes that pertain to creating the tunnel itself. Tunnel groups include a pointer to a group policy that defines user-oriented attributes.

The security appliance provides two default tunnel groups, one for LAN-to-LAN connections, and one for remote access connections. You can modify these default tunnel groups, but you cannot delete them. You can also create one or more tunnel groups specific to your environment. Tunnel groups are local to the security appliance and are not configurable on external servers.

Tunnel groups specify the following attributes:

•General parameters

•IPSec connection parameters

General Tunnel Group Parameters

The general parameters include the following:

•Tunnel group name—Both remote access and LAN-to-LAN clients select a tunnel group by its name, as follows:

–For IPSec clients that use preshared keys to authenticate, the tunnel group name is the same as the group name that the IPSec client passes to the security appliance.

–IPSec clients that use certificates to authenticate pass this name as part of the certificate, and the security appliance extracts the name from the certificate.

Tunnel group records contain tunnel connection policy information. These records identify the servers to which the tunnel user is authenticated, as well as the accounting servers to which connection information is sent. They also identify a default group policy for the connection, and they contain protocol-specific connection parameters.

•Connection type—Connection types include remote access IPSec, and LAN-to-LAN IPSec. A tunnel group can have only one connection type.

•Authentication, Authorization, and Accounting servers—These parameters identify the server groups or lists that the security appliance uses for the following purposes:

–Authenticating users

–Obtaining information about services users are authorized to access

–Storing accounting records

A server group can consist of one or more servers.

•Default group policy for the connection—A group policy is a set of user-oriented attributes. The default group policy is the group policy whose attributes the security appliance uses as defaults when authenticating or authorizing a tunnel user.

•Client address assignment method—This method includes values for one or more DHCP servers or address pools that the security appliance assigns to clients.

IPSec Connection Parameters

IPSec parameters include the following:

•A client authentication method: preshared keys or certificates.

•ISAKMP keepalive settings. This feature lets the security appliance monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the security appliance removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity.

There are various forms of IKE keepalives. For this feature to work, both the security appliance and its remote peer must support a common form. This feature works with the following peers:

–Cisco VPN client (Release 3.0 and above)

–Cisco VPN 3000 Client (Release 2.x)

–Cisco VPN 3002 Hardware Client

–Cisco VPN 3000 Series Concentrators

–Cisco IOS software

–Cisco Secure PIX Firewall

Non-Cisco VPN clients do not support IKE keepalives.

If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.

If you disable IKE keepalives, connections with unresponsive peers remain active until they time out, so we recommend that you keep your idle timeout short. To change your idle timeout, see "Configuring Group Policies" section.

Note To reduce connectivity costs, disable IKE keepalives if this group includes any clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE keepalives mechanism prevents connections from idling and therefore from disconnecting.

If you do disable IKE keepalives, the client disconnects only when either its IKE or IPSec keys expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it does when IKE keepalives are enabled.

Note If you have a LAN-to-LAN configuration using IKE main mode, make sure that the two peers have the same IKE keepalives configuration. Both peers must have IKE keepalives enabled or both peers must have it disabled.

•Values for defining authorization usernames.

Configuring Tunnel Groups

The security appliance provides two default tunnel groups, one for remote access (DefaultRAGroup) and one for LAN-to-LAN (DefaultL2LGroup). You can modify these groups, but you cannot delete them. To see the current configured and default configuration of all your tunnel groups, including the default tunnel group, enter the show running-config all tunnel-group command.

You can configure a new tunnel group as either an IPSec Remote Access (ipsec-ra) tunnel or an IPSec LAN-to-LAN (ipsec-l2l) tunnel. The default is ipsec-ra. The subsequent parameters depend upon your choice of tunnel type.

Default Remote Access Tunnel Group Configuration

The contents of the default remote-access tunnel group are as follows:
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
 no address-pool
 authentication-server-group LOCAL
 no authorization-server-group
 no accounting-server-group
 default-group-policy DfltGrpPolicy
 no dhcp-server
 no strip-realm
 no strip-group
tunnel-group DefaultRAGroup ipsec-attributes
 no pre-shared-key
 no authorization-required
 authorization-dn-attributes CN OU
 peer-id-validate req
 no radius-with-expiry
 no chain
 no trust-point
 isakmp keepalive threshold 300 retry 2
Configuring Remote-Access Tunnel Groups

To configure a remote-access tunnel group, follow the steps in this section. An IPSec Remote Access VPN tunnel group applies only to remote-access IPSec client connections.

Specify a Name and Type for the Remote-Access Tunnel Group

To assign a name and type for the tunnel group, enter the tunnel-group command to assign a name and type for the tunnel group.
hostname(config)# tunnel-group tunnel_group_name type tunnel_type
For a remote-access tunnel, the type is ipsec-ra; for example:
hostname(config)# tunnel-group TunnelGroup1 type ipsec-ra 
Configure Remote-Access Tunnel Group General Attributes

To configure the tunnel group general attributes, specify the parameters in the following steps.

Step 1 Enter the config-general mode by specifying the tunnel-group command with the general-attributes designator:
hostname(config)# tunnel-group tunnel_group_name general-attributes
This command enters config-general mode, in which you configure the tunnel-group general attributes.

Step 2 Specify the name of the authentication-server group, if any, to use. If you want to use the LOCAL database for authentication if the specified server group fails, append the word LOCAL:
hostname(config-general)# authentication-server-group groupname [LOCAL]
You can also configure interface-specific authentication by including the name of an interface after the group name. The following command configures interface-specific authentication for the interface named "test" using the server "servergroup1" for authentication:
hostname(config-general)# authentication-server-group test servergroup1
Step 3 Specify the name of the authorization-server group, if any, to use:
hostname(config-general)# authorization-server-group groupname
Step 4 Specify the name of the accounting-server group, if any, to use:
hostname(config-general)# accounting-server-group groupname
Step 5 Specify the name of the default group policy:
hostname(config-general)# default-group-policy policyname
The following example sets "DfltGrpPolicy" as the name of the group policy:
hostname(config)# default-group-policy DfltGrpPolicy
Step 6 Specify the name or IP address of the DHCP server (up to 10 servers), and the names of the DHCP address pools (up to 6 pools). The defaults are no DHCP server and no address pool.
hostname(config-general)# dhcp-server server1 [...server10]
hostname(config-general)# address-pool [(interface name)] address_pool1 [...address_pool6]
Note The interface name must be enclosed in parentheses.

You configure address pools with the ip local pool command in global configuration mode.

Step 7 Specify whether to strip the group or the realm from the username before passing it on to the AAA server. The default is not to strip either the group name or the realm.
hostname(config-general)# strip-group
hostname(config-general)# strip-realm
Enter the strip-realm command to remove the realm qualifier of the username during authentication. If you do so, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must enable strip realm if your server is unable to parse delimiters. If you are using the Group Lookup feature and strip realm, do not use the @ character for the group delimiter.

Step 8 Whether users must exist in the authorization database to connect.
hostname(config)# authorization-server-group groupname
Configure Remote-Access Tunnel Group IPSec Attributes

To configure the IPSec attributes, specify the following parameters:

Step 1 Specify the IPSec-attributes designator:
hostname(config)# tunnel-group tunnel-group-name ipsec-attributes
For example, the following command designates that the config-ipsec mode commands that follow pertain to the tunnel group named "TG1":
hostname(config)# tunnel-group TG1 ipsec-attributes
This command enters config-ipsec mode, in which you configure the tunnel-group IPSec attributes.

Step 2 Specify the attribute or attributes to use in deriving a name for an authorization query from a certificate. This attribute specifies what part of the subject DN field to use as the username for authorization:
hostname(config-ipsec)# authorization-dn-attributes {primary-attribute 
[secondary-attribute] | use-entire-name}
For example, the following command specifies the use of the "CN" attribute as the username for authorization:
hostname(config-ipsec)# authorization-dn-attributes CN
The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname), SP (State/Province), T (Title), and UID (User ID)

Step 3 Specify whether to require a successful authorization before allowing a user to connect. The default is not to require authorization.
hostname(config-ipsec)# authorization-required
Step 4 Specify the client-update parameters; that is, the client type and the acceptable revision levels for that client:
hostname(config-ipsec)# client-update type type url url-string rev-nums rev-numbers
The available client types are Win9X (includes Windows 95, Windows 98 and Windows ME platforms), WinNT (includes Windows NT 4.0, Windows 2000 and Windows XP platforms), Windows (Includes all Windows based platforms), and vpn3002 (VPN3002 hardware client).

If the client is already running a software version on the list of revision numbers, it does not need to update its software. If the client is not running a software version on the list, it should update. You can specify up to four of these client update entries.

The following example configures client update parameters for the remote-access tunnel-group. It designates the revision number, 4.6.1 and the URL for retrieving the update, which is "https://support/updates":
hostname(config-ipsec)# client-update type windows url https://support/updates/ rev-nums 
4.6.1
Step 5 Specify the preshared key to support IKE connections based on preshared keys.
hostname(config-ipsec)# pre-shared-key xyzx
The preceding command specifies the preshared key xyzx to support IKE connections for an IPSec remote access tunnel group:

Step 6 Specify whether to validate the identity of the peer using the peer's certificate:
hostname(config-ipsec)# peer-id-validate option
The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req.

Step 7 Specify whether to enable sending of a certificate chain. The following command includes the root certificate and any subordinate CA certificates in the transmission:
hostname(config-ipsec)# chain
You can apply this attribute to all tunnel-group types.

Step 8 Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:
hostname(config-ipsec)# trust-point trust-point-name
The following command specifies "mytrustpoint" as the name of the certificate to be sent to the IKE peer:
hostname(config-ipsec)# trust-point mytrustpoint
You can apply this attribute to all tunnel-group types.

Step 9 Specify whether to have the security appliance use MS-CHAPv2 to negotiate a password update with the user during authentication:
hostname(config-ipsec)# radius-with-expiry
The security appliance ignores this command if RADIUS authentication has not been configured.

Step 10 ISAKMP keepalive threshold and the number of retries allowed.
hostname(config)# isakmp keepalive threshold <number> retry <number>
The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command:

For example, the following command sets the IKE keepalive threshold value to 15 seconds and sets the retry interval to 10 seconds:
hostname(config-ipsec)# isakmp keepalive threshold 15 retry 10
The default value for the threshold parameter is 300 for remote-access and 10 for LAN-to-LAN, and the default value for the retry parameter is 2.

Default LAN-to-LAN Tunnel Group Configuration

The contents of the default LAN-to-LAN tunnel group are as follows:
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
 no accounting-server-group
 default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
 no pre-shared-key
 peer-id-validate req
 no chain
 no trust-point
 isakmp keepalive threshold 10 retry 2
LAN-to-LAN tunnel groups have fewer parameters than remote-access tunnel groups, and most of these are the same for both groups. For your convenience in configuring the connection, they are listed separately here.

Configuring LAN-to-LAN Tunnel Groups

An IPSec LAN-to-LAN VPN tunnel group applies only to LAN-to-LAN IPSec client connections. To configure a LAN-to-LAN tunnel group, follow the steps in this section.

Specify a Name and Type for the LAN-to-LAN Tunnel Group

To specify a name and a type for a tunnel group, enter the tunnel-group command, as follows:
hostname(config)# tunnel-group tunnel_group_name type tunnel_type
For a LAN-to-LAN tunnel, the type is ipsec-l2l.; for example:
hostname(config)# tunnel-group TunnelGroup1 type ipsec-l2l
Configure LAN-to-LAN Tunnel Group General Attributes

To configure the tunnel group general attributes, specify the parameters in the following steps:

Step 1 Enter configuration-general mode by specifying the general-attributes designator:
hostname(config)# tunnel-group tunnel_group_tunnel-group-name general-attributes
hostname(config-general)# 
The prompt changes to indicate that you are now in config-general mode, in which you configure the tunnel-group general attributes.

Step 2 Specify the name of the accounting-server group, if any, to use:
hostname(config-general)# accounting-server-group groupname
For example, the following command specifies the use of the accounting-server group "acctgserv1":
hostname(config-general)# accounting-server-group acctgserv1
Step 3 Specify the name of the default group policy:
hostname(config-general)# default-group-policy policyname
For example, the following command specifies that the name of the default group policy is "MyPolicy":
hostname(config-general)# default-group-policy MyPolicy
Configure LAN-to-LAN IPSec Attributes

To configure the IPSec attributes, do the following steps:

Step 1 To enter config-ipsec mode, in which you configure the tunnel-group IPSec attributes, enter the tunnel-group command with the IPSec-attributes designator.
hostname(config)# tunnel-group tunnel-group-name ipsec-attributes
For example, the following command enters config-ipsec mode so you can configure the parameters for the tunnel group named "TG1":
hostname(config)# tunnel-group TG1 ipsec-attributes
hostname(config-ipsec)# 
The prompt changes to indicate that you are now in config-ipsec mode.

Step 2 Specify the preshared key to support IKE connections based on preshared keys.
hostname(config-ipsec)# pre-shared-key key
For example, the following command specifies the preshared key XYZX to support IKE connections for an IPSec remote access tunnel group:
hostname(config-ipsec)# pre-shared-key xyzx
Step 3 Specify whether to validate the identity of the peer using the peer's certificate:
hostname(config-ipsec)# peer-id-validate option
The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req. For example, the following command sets the peer-id-validate option to nocheck:
hostname(config-ipsec)# peer-id-validate nocheck
Step 4 Specify whether to enable sending of a certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission:
hostname(config-ipsec)# chain
You can apply this attribute to all tunnel-group types.

Step 5 Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:
hostname(config-ipsec)# trust-point trust-point-name
For example, the following command sets the trustpoint name to "mytrustpoint":
hostname(config-ipsec)# trust-point mytrustpoint
You can apply this attribute to all tunnel-group types.

Step 6 Specify the ISAKMP keepalive threshold and the number of retries allowed. The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command:
hostname(config)# isakmp keepalive threshold <number> retry <number>
For example, the following command sets the ISAKMP keepalive threshold to 15 seconds and sets the retry interval to 10 seconds.:
hostname(config-ipsec)# isakmp keepalive threshold 15 retry 10
The default value for the threshold parameter for LAN-to-LAN is 10, and the default value for the retry parameter is 2.

Group Policies

A group policy is a set of user-oriented attribute/value pairs for IPSec connections that are stored either internally (locally) on the device or externally on a RADIUS server. The tunnel group refers to a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user.

Enter the group-policy commands in global configuration mode to assign a group policy to users or to modify a group policy for specific users.

The security appliance includes a default group policy. You can modify this default group policy, but you cannot delete it. You can also create one or more group policies specific to your environment.

Group policies include the following attributes:

•Identity

•Defining servers

•Client firewall settings

•Tunneling protocols

•IPSec settings

•Hardware client settings

•Filters

•Client configuration settings

•WebVPN functions

•Connection settings

Default Group Policy

The security appliance supplies a default group policy. You can modify this default group policy, but you cannot delete it. A default group policy, named "DfltGrpPolicy", always exists on the security appliance, but this default group policy does not take effect unless you configure the security appliance to use it.To view the default group policy, enter the following command:
hostname(config)# show running-config all group-policy DfltGrpPolicy
To configure the default group policy, enter the following command:
hostname(config)# group-policy DfltGrpPolicy internal
Note The default group policy is internal. Despite the fact that the command syntax is
hostname(config)# group-policy DfltGrpPolicy {internal | external}, you cannot change the type to external.

If you want to change any of the attributes of the group policy, use the group-policy attributes command to enter attributes mode, then specify the commands to change whatever attributes that you want to modify:
hostname(config)# group-policy DfltGrpPolicy attributes
Note The attributes mode applies only for internal group policies.

The default group policy that the security appliance provides, "DfltGrpPolicy", is as follows:
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
 wins-server none
 dns-server none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 banner none
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  no html-content-filter
  no homepage
  no filter
  no url-list
  no port-forward
  port-forward-name value Application Access
You can modify the default group policy, and you can also create one or more group policies specific to your environment.

Configuring Group Policies

A group policy can apply to either remote-access or LAN-to-LAN IPSec tunnels. In each case, if you do not explicitly define a parameter, the group takes the value from the default group policy. To configure a group policy, follow these steps:

Step 1 Specify a name and type (internal or external) for the group policy:
hostname(config)# group-policy group_policy_name type
For example, the following command specifies that the group policy is named "GroupPolicy1" and that its type is internal:
hostname(config)# group-policy GroupPolicy1 internal
The default type is internal.

You can initialize the attributes of an internal group policy to the values of a preexisting group policy by appending the keyword from and specifying the name of the existing policy:
hostname(config)# group-policy group_policy_name internal from group_policy_name
For an external group policy, you must identify the AAA server group that the security appliance can query for attributes and specify the password to use when retrieving attributes from the external AAA server group, as follows:
hostname(config)# group-policy name external server-group server_group password 
server_password}
Note For an external group policy, RADIUS is the only supported AAA server type.

Step 2 Enter the group-policy attributes mode, using the group-policy attributes command in global configuration mode.
hostname(config)# group-policy name attributes
hostname(config-group-policy)# 
The prompt changes to indicate the mode change. The group-policy-attributes mode lets you configure attribute-value pairs for a specified group policy. In group-policy-attributes mode, explicitly configure the attribute-value pairs that you do not want to inherit from the default group. The commands to do this are described in the following steps.

Step 3 Specify the primary and secondary WINS servers:
hostname(config-group-policy)# wins-server value {ip_address [ip_address] | none}
The first IP address specified is that of the primary WINS server. The second (optional) IP address is that of the secondary WINS server. Specifying the none keyword instead of an IP address sets WINS servers to a null value, which allows no WINS servers and prevents inheriting a value from a default or specified group policy.

Every time that you enter the wins-server command, you overwrite the existing setting. For example, if you configure WINS server x.x.x.x and then configure WINS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole WINS server. The same is true for multiple servers. To add a WINS server rather than overwrite previously configured servers, include the IP addresses of all WINS servers when you enter this command.

The following example shows how to configure WINS servers with the IP addresses 10.10.10.15 and 10.10.10.30 for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# wins-server value 10.10.10.15 10.10.10.30
Step 4 Specify the primary and secondary DNS servers:
hostname(config-group-policy)# dns-server value {ip_address [ip_address] | none}
The first IP address specified is that of the primary DNS server. The second (optional) IP address is that of the secondary DNS server. Specifying the none keyword instead of an IP address sets DNS servers to a null value, which allows no DNS servers and prevents inheriting a value from a default or specified group policy.

Every time that you enter the dns-server command you overwrite the existing setting. For example, if you configure DNS server x.x.x.x and then configure DNS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole DNS server. The same is true for multiple servers. To add a DNS server rather than overwrite previously configured servers, include the IP addresses of all DNS servers when you enter this command.

The following example shows how to configure DNS servers with the IP addresses 10.10.10.15, and 10.10.10.30 for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# dns-server value 10.10.10.15 10.10.10.30
Step 5 Set the VPN access hours. To do this, you associate a group policy with a configured time-range policy, using the vpn-access-hours command in group-policy configuration mode.
hostname(config-group-policy)# vpn-access-hours value {time-range | none}
A group policy can inherit a time-range value from a default or specified group policy. To prevent this inheritance, enter the none keyword instead of the name of a time-range in this command. This keyword sets VPN access hours to a null value, which allows no time-range policy.

The time-range variable is the name of a set of access hours defined in global configuration mode using the time-range command. The following example shows how to associate the group policy named "FirstGroup" with a time-range policy called "824":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-access-hours value 824
Step 6 Specify the number of simultaneous logins allowed for any user, using the vpn-simultaneous-logins command in group-policy configuration mode.
hostname(config-group-policy)# vpn-simultaneous-logins integer
The default value is 3. The range is an integer in the range 0 through 2147483647. A group policy can inherit this value from another group policy. Enter 0 to disable login and prevent user access. The following example shows how to allow a maximum of 4 simultaneous logins for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-simultaneous-logins 4
Note While there is no maximum limit to the number of simultaneous logins, allowing several could compromise security and affect performance.

Step 7 Configure the user timeout period by entering the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode:
hostname(config-group-policy)# vpn-idle-timeout {minutes | none}
The minimum time is 1 minute, and the maximum time is 35791394 minutes. The default is 30 minutes. If there is no communication activity on the connection in this period, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. The none keyword also permits an unlimited idle timeout period. It sets the idle timeout to a null value, thereby disallowing an idle timeout.

The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-idle-timeout 15
Step 8 Configure a maximum amount of time for VPN connections, using the vpn-session-timeout command in group-policy configuration mode or in username configuration mode.
hostname(config-group-policy)# vpn-session-timeout {minutes | none}
The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value. At the end of this period of time, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. Specifying the none keyword permits an unlimited session timeout period and sets session timeout with a null value, which disallows a session timeout.

The following example shows how to set a VPN session timeout of 180 minutes for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-session-timeout 180
Step 9 Specify the name of the ACL to use for VPN connections, using the vpn-filter command in group policy or username mode.
hostname(config-group-policy)# vpn-filter {value ACL name | none}
To remove the ACL, including a null value created by entering the vpn-filter none command, enter the no form of this command. The no option allows inheritance of a value from another group policy.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying an ACL name. The none keyword indicates that there is no access list and sets a null value, thereby disallowing an access list.

You configure ACLs to permit or deny various types of traffic for this group policy. You then enter the vpn-filter command to apply those ACLs.

The following example shows how to set a filter that invokes an access list named "acl_vpn" for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-filter acl_vpn
Step 10 Specify the VPN tunnel type (IPSec or WebVPN) for this group policy.
hostname(config-group-policy)# vpn-tunnel-protocol {webvpn | IPSec}
The default is IPSec. To remove the attribute from the running configuration, enter the no form of this command.
hostname(config-group-policy)# no vpn-tunnel-protocol [webvpn | IPSec]
The parameter values for this command follow:

IPSec—Negotiates an IPSec tunnel between two peers (a remote access client or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management.

webvpn—Provides VPN services to remote users via an HTTPS-enabled web browser, and does not require a client.

Enter this command to configure one or more tunneling modes. You must configure at least one tunneling mode for users to connect over a VPN tunnel.

The following example shows how to configure the IPSec tunneling mode for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-tunnel-protocol IPSec
Step 11 Specify whether to let users store their login passwords on the client system, using the password-storage command with the enable keyword in group-policy configuration mode. To disable password storage, use the password-storage command with the disable keyword.
hostname(config-group-policy)# password-storage {enable | disable}
For security reasons, password storage is disabled by default. Enable password storage only on systems that you know to be in secure sites.

To remove the password-storage attribute from the running configuration, enter the no form of this command:
hostname(config-group-policy)# no password-storage
Specifying the no form enables inheritance of a value for password-storage from another group policy.

This command does not apply to interactive hardware client authentication or individual user authentication for hardware clients.

The following example shows how to enable password storage for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# password-storage enable
Step 12 Specify whether to enable IP compression, which is disabled by default.
hostname(config-group-policy)# ip-comp {enable | disable}
To enable LZS IP compression, enter the ip-comp command with the enable keyword in group-policy configuration mode. To disable IP compression, enter the ip-comp command with the disable keyword.

To remove the ip-comp attribute from the running configuration, enter the no form of this command. This enables inheritance of a value from another group policy.
hostname(config-group-policy)# no ip-comp
Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.

Caution Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the security appliance. For this reason, we recommend that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users, and enable compression only for them.

Step 13 Specify whether to require that users reauthenticate on IKE rekey by using the re-xauth command with the enable keyword in group-policy configuration mode. To disable user reauthentication on IKE rekey, enter the disable keyword.
hostname(config-group-policy)# re-xauth {enable | disable}
To remove the re-xauth attribute from the running configuration, enter the no form of this command. This enables inheritance of a value for reauthentication on IKE rekey from another group policy.
hostname(config-group-policy)# no re-xauth
Reauthentication on IKE rekey is disabled by default.If you enable reauthentication on IKE rekey, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security.

If the configured rekey interval is very short, users might find the repeated authorization requests inconvenient. To avoid repeated authorization requests, disable reauthentication. To check the configured rekey interval, in monitoring mode, enter the show crypto ipsec sa command to view the security association lifetime in seconds and lifetime in kilobytes of data.

Note Reauthentication fails if there is no user at the other end of the connection.

Step 14 Specify whether to restrict remote users to access through the tunnel group only, using the group-lock command in group-policy configuration mode.
hostname(config-group-policy)# group-lock {value tunnel-grp-name | none}
hostname(config-group-policy)# no group-lock
The tunnel-grp-name variable specifies the name of an existing tunnel group that the security appliance requires for the user to connect. Group-lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.

To remove the group-lock attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value from another group policy.

To disable group-lock, enter the group-lock command with the none keyword. The none keyword sets group-lock to a null value, thereby allowing no group-lock restriction. It also prevents inheriting a group-lock value from a default or specified group policy

Step 15 Specify whether to enable perfect forward secrecy by using the pfs command with the enable keyword in group-policy configuration mode.
hostname(config-group-policy)# pfs {enable | disable}
In IPSec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key. PFS is disabled by default.

To disable PFS, enter the disable keyword.

To remove the PFS attribute from the running configuration, enter the no form of this command. A group policy can inherit a value for PFS from another group policy. To prevent inheriting a value, enter the no form of this command.
hostname(config-group-policy)# no pfs 
Step 16 Specify the banner, or welcome message, if any, that you want to display. The default is no banner. The message that you specify is displayed on remote clients when they connect. To specify a banner, enter the banner command in group-policy configuration mode. The banner text can be up to 510 characters long. Enter the "\n" sequence to insert a carriage return.

Note A carriage-return/line-feed included in the banner counts as two characters.

To delete a banner, enter the no form of this command. Be aware that using the no version of the command deletes all banners for the group policy.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a value for the banner string, as follows:
hostname(config-group-policy)# banner {value banner_string | none}
The following example shows how to create a banner for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# banner value Welcome to Cisco Systems 7.0.
Step 17 Specify whether to enable IPSec over UDP. To use IPSec over UDP, you must also configure the ipsec-udp-port command, as follows:
hostname(config-group-policy)# ipsec-udp {enable | disable}
hostname(config-group-policy)# no ipsec-udp
IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a security appliance that is running NAT. It is disabled by default. To enable IPSec over UDP, configure the ipsec-udp command with the enable keyword in group-policy configuration mode. To disable IPSec over UDP, enter the disable keyword. To remove the IPSec over UDP attribute from the running configuration, enter the no form of this command. This enables inheritance of a value for IPSec over UDP from another group policy.

The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPSec over UDP.

IPSec over UDP is proprietary; it applies only to remote-access connections, and it requires mode configuration. The security appliance exchanges configuration parameters with the client while negotiating SAs. Using IPSec over UDP may slightly degrade system performance.

The following example shows how to set IPSec over UDP for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# ipsec-udp enable
If you enabled IPSec over UDP, you must also configure the ipsec-udp-port command in group-policy configuration mode. This command sets a UDP port number for IPSec over UDP. In IPSec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic. The port numbers can range from 4001 through 49151. The default port value is 10000.

To disable the UDP port, enter the no form of this command. This enables inheritance of a value for the IPSec over UDP port from another group policy.
hostname(config-group-policy)# ipsec-udp-port port 
The following example shows how to set an IPSec UDP port to port 4025 for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# ipsec-udp-port 4025
Step 18 Set the rules for tunneling traffic by specifying the split-tunneling policy.
hostname(config-group-policy)# split-tunnel-policy {tunnelall | tunnelspecified | 
excludespecified}
hostname(config-group-policy)# no split-tunnel-policy
The default is to tunnel all traffic. To set a split tunneling policy, enter the split-tunnel-policy command in group-policy configuration mode. To remove the split-tunnel-policy attribute from the running configuration, enter the no form of this command. This enables inheritance of a value for split tunneling from another group policy.

Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. This command applies this split tunneling policy to a specific network.

The excludespecified keyword defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client.

The tunnelall keyword specifies that no traffic goes in the clear or to any other destination than the security appliance. This, in effect, disables split tunneling. Remote users reach internet networks through the corporate network and do not have access to local networks. This is the default option.

The tunnelspecified keyword tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user's Internet service provider.

Note Split tunneling is primarily a traffic management feature, not a security feature. For optimum security, we recommend that you do not enable split tunneling.

The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-tunnel-policy tunnelspecified 
Step 19 Create a network list for split tunneling using the split-tunnel-network-list command in group-policy configuration mode.
hostname(config-group-policy)# split-tunnel-network-list {value access-list_name | none}
hostname(config-group-policy)# no split-tunnel-network-list value [access-list_name]
Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling. The security appliance makes split tunneling decisions on the basis of a network list, which is an ACL that consists of a list of addresses on the private network. Only standard-type ACLs are allowed.

The value access-list name parameter identifies an access list that enumerates the networks to tunnel or not tunnel.

The none keyword indicates that there is no network list for split tunneling; the security appliance tunnels all traffic. Specifying the none keyword sets a split tunneling network list with a null value, thereby disallowing split tunneling. It also prevents inheriting a default split tunneling network list from a default or specified group policy.

To delete a network list, enter the no form of this command. To delete all split tunneling network lists, enter the no split-tunnel-network-list command without arguments. This command deletes all configured network lists, including a null list if you created one by entering the none keyword.

When there are no split tunneling network lists, users inherit any network lists that exist in the default or specified group policy. To prevent users from inheriting such network lists, enter the split-tunnel-network-list none command.

The following example shows how to set a network list called "FirstList" for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-tunnel-network-list FirstList
Step 20 Specify the default domain name. To set a default domain name for users of the group policy, enter the default-domain command in group-policy configuration mode. To delete a domain name, enter the no form of this command.
hostname(config-group-policy)# default-domain {value domain-name | none}
hostname(config-group-policy)# no default-domain [domain-name]
The security appliance passes the default domain name to the IPSec client to append to DNS queries that omit the domain field. This domain name applies only to tunneled packets. When there are no default domain names, users inherit the default domain name in the default group policy.

The value domain-name parameter identifies the default domain name for the group. To specify that there is no default domain name, enter the none keyword. This command sets a default domain name with a null value, which disallows a default domain name and prevents inheriting a default domain name from a default or specified group policy.

To delete all default domain names, enter the no default-domain command without arguments. This command deletes all configured default domain names, including a null list if you created one by entering the default-domain command with the none keyword. The no form allows inheriting a domain name.