Cisco VPN Client Administrator Guide, Release 5.0 - Configuring VPN Client Parameters on the ASA Using CLI [Cisco VPN Client]

Table Of Contents

Configuring VPN Client Parameters Using CLI

Configuring Connection Profiles—Overview

Configuring General Connection Profile Parameters

IPsec Connection Profile Parameters

Configuring Connection Profiles—Specifics

Default IPsec Remote Access Connection Profile Configuration

Configuring IPsec Tunnel-Group General Attributes

Configuring IPsec Remote-Access Connection Profiles

Specifying a Name and Type for the IPsec Remote Access Connection Profile

Configuring IPsec Remote-Access Connection Profile General Attributes

Configuring IPsec Remote-Access Connection Profile IPsec Attributes

Configuring Client Software Update Using ASDM

Configuring Group Policies

Default Group Policy

Configuring Group Policies

Configuring an Internal Group Policy

Configuring Group Policy Attributes

Configuring VPN-Specific Attributes

Configuring Security Attributes

Configuring the Banner Message

Configuring IPsec-UDP Attributes

Configuring Split-Tunneling Attributes

Configuring Domain Attributes for Tunneling

Configuring Backup Server Attributes

Configuring Address Pools

Configuring Firewall Policies

Configuring Client Access Rules

Example: Configuring a Security Appliance for the VPN Client Using CLI

Configuring VPN Client Parameters Using CLI

This chapter describes how to use the command-line interface of the Adaptive Security Appliance to configure the VPN Client parameters. As with the other chapters, this one focuses on those parameters that you must configure specifically for the VPN Client. The IPsec group uses the IPsec connection parameters to create a tunnel. This chapter focuses only on the parameters related to the VPN. For complete information about configuration using the CLI, see the Cisco ASA 5500 Series Adaptive Security Appliance Configuration Guide.

The general considerations are the same for both the CLI and.ASDM, in that you must configure the following parameters for the VPN Client:

•Configure the IPsec connection profile.

•Configure the advanced IPsec features.

•Configure Client Update.

This chapter includes the following sections.

•Configuring Connection Profiles—Overview

•Configuring Connection Profiles—Specifics

•Configuring Group Policies

•Example: Configuring a Security Appliance for the VPN Client Using CLI

We recommend that you carefully read the chapter "Configuring Connection Profiles, Group Policies, and Users Using CLI" in Cisco Security Appliance Command Line Configuration Guide for a complete description of all the parameters you can configure for IPsec connections. That chapter contains complete information on setting up remote users to connect through the IPsec tunnel, and also explains how to use features such as setting up a client banner, firewalls, split tunneling, and so on.

Configuring Connection Profiles—Overview

You configure the parameters in this section using tunnel-group commands. An IPsec connection represents a connection-specific record for IPsec VPN connections. In summary, you first configure connection profiles to set the values for the connection. Then you configure group policies. These set values for users in the aggregate. Then you configure users, which can inherit values from groups and configure certain values on an individual user basis. This chapter describes how and why to configure VPN Client-related parameters for connection profiles and group policies.

To configure the IPsec connection profile, do the following steps:

Step 1 Configure the IPsec connection profile. You specify a connection-profile name when you add or edit a connection profile. The following considerations apply:

–For clients that use preshared keys to authenticate, the connection profile name is the same as the group name that an IPsec client passes to the security appliance.

–Clients that use certificates to authenticate pass this name as part of the certificate, and the security appliance extracts the name from the certificate.

Step 2 In the Access Interfaces area, enable the appropriate interfaces (which you've already configured) to allow IPsec access.

Step 3 If necessary, add a new connection profile or edit an existing profile in the Connection Profiles area.

Configuring General Connection Profile Parameters

General parameters are common to all VPN connections. While you must configure all of these parameters (or accept the default values), the following sections concentrate on the ones you must configure for VPN Client connections. The general parameters include the following:

•Connection profile name—You specify a connection-profile name when you add or edit a connection profile. The following considerations apply:

–For clients that use preshared keys to authenticate, the connection profile name is the same as the group name that an IPsec client passes to the security appliance.

–Clients that use certificates to authenticate pass this name as part of the certificate, and the security appliance extracts the name from the certificate.

•Connection type—Connection types include IPsec remote access, IPsec LAN-to-LAN, and clientless SSL VPN. A connection profile can have only one connection type. For the VPN Client, you must configure at least one IPsec remote access connection profile.

•Authentication, Authorization, and Accounting servers—These parameters identify the server groups or lists that the security appliance uses for the following purposes:

–Authenticating users

–Obtaining information about services users are authorized to access

–Storing accounting records

A server group can consist of one or more servers.

•Default group policy for the connection—A group policy is a set of user-oriented attributes. The default group policy is the group policy whose attributes the security appliance uses as defaults when authenticating or authorizing a tunnel user.

•Client address assignment method—This method includes values for one or more DHCP servers or address pools that the security appliance assigns to clients.

•Override account disabled—This parameter lets you override the "account-disabled" indicator received from a AAA server.

•Password management—This parameter lets you warn a user that the current password is due to expire in a specified number of days (the default is 14 days), then offer the user the opportunity to change the password.

•Strip group and strip realm—These parameters direct the way the security appliance processes the usernames it receives. They apply only to usernames received in the form user@realm. A realm is an administrative domain appended to a username with the @ delimiter (user@abc).

When you specify the strip-group command, the security appliance selects the connection profile for user connections by obtaining the group name from the username presented by the VPN client. The security appliance then sends only the user part of the username for authorization/authentication. Otherwise (if disabled), the security appliance sends the entire username, including the realm.

Strip-realm processing removes the realm from the username when sending the username to the authentication or authorization server. If the command is enabled, the security appliance sends only the user part of the username authorization/authentication. Otherwise, the security appliance sends the entire username.

•Authorization required—This parameter lets you require authorization before a user can connect, or turn off that requirement.

•Authorization DN attributes—This parameter specifies which Distinguished Name attributes to use when performing authorization.

IPsec Connection Profile Parameters

IPsec connection profile/tunnel group parameters include the following:

•A client authentication method: preshared keys, certificates, or both.

–For IKE connections based on preshared keys, this is the alphanumeric key itself (up to 128 characters long), associated with the connection policy.

–Peer-ID validation requirement—This parameter specifies whether to require validating the identity of the peer using the peer's certificate.

•An extended hybrid authentication method: XAUTH and hybrid XAUTH.

You use the isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for security appliance authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID.

•ISAKMP (IKE) keepalive settings. This feature lets the security appliance monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the security appliance removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity.

There are various forms of IKE keepalives. For this feature to work, both the security appliance and its remote peer must support a common form. This feature works with the following peers:

–Cisco AnyConnect VPN Client

–Cisco VPN Client (Release 3.0 and above)

–Cisco VPN 3000 Client (Release 2.x)

–Cisco VPN 3002 Hardware Client

–Cisco VPN 3000 Series Concentrators

–Cisco IOS software

–Cisco Secure PIX Firewall

Non-Cisco VPN clients do not support IKE keepalives.

If you are configuring a group of mixed peers, and some of those peers support IKE keepalives and others do not, enable IKE keepalives for the entire group. The feature does not affect the peers that do not support it.

If you disable IKE keepalives, connections with unresponsive peers remain active until they time out, so we recommend that you keep your idle timeout short. To change your idle timeout, see the "Configuring Group Policies" section.

•If you configure authentication using digital certificates, you can specify whether to send the entire certificate chain (which sends the peer the identity certificate and all issuing certificates) or just the issuing certificates (including the root certificate and any subordinate CA certificates).

•You can notify users who are using outdated versions of Windows client software that they need to update their client, and you can provide a mechanism for them to get the updated client version. For VPN 3002 hardware client users, you can trigger an automatic update. You can configure and change the client-update, either for all connection profiles or for particular connection profiles.

•If you configure authentication using digital certificates, you can specify the name of the trustpoint that identifies the certificate to send to the IKE peer.

Configuring Connection Profiles—Specifics

The following sections describe the contents and configuration of connection profiles:

•Default IPsec Remote Access Connection Profile Configuration

•Specifying a Name and Type for the IPsec Remote Access Connection Profile

•Configuring IPsec Remote-Access Connection Profiles

You can modify the default connection profiles, and you can configure a new connection profile as any of the three tunnel-group types. If you don't explicitly configure an attribute in a connection profile, that attribute gets its value from the default connection profile. The default connection-profile type is remote access. The subsequent parameters depend upon your choice of tunnel type. To see the current configured and default configuration of all your connection profiles, including the default connection profile, enter the show running-config all tunnel-group command.

Default IPsec Remote Access Connection Profile Configuration

The contents of the default remote-access connection profile are as follows:
tunnel-group DefaultRAGroup type remote-access
tunnel-group DefaultRAGroup general-attributes
 no address-pool
 no ipv6-address-pool
 authentication-server-group LOCAL
 accounting-server-group RADIUS
 default-group-policy DfltGrpPolicy
 no dhcp-server
 no strip-realm
 no password-management
 no override-account-disable
 no strip-group
authorization-dn-attributes CN OU
tunnel-group DefaultRAGroup webvpn-attributes
 hic-fail-group-policy DfltGrpPolicy
 customization DfltCustomization
 authentication aaa
 no override-svc-download
 no radius-reject-message
 dns-group DefaultDNS
tunnel-group DefaultRAGroup ipsec-attributes
 no pre-shared-key
 peer-id-validate req
 no chain
 no trust-point
 isakmp keepalive threshold 1500 retry 2
 no radius-sdi-xauth
 isakmp ikev1-user-authentication xauth
tunnel-group DefaultRAGroup ppp-attributes
 no authentication pap
 authentication chap
 authentication ms-chap-v1
 no authentication ms-chap-v2
 no authentication eap-proxy
Configuring IPsec Tunnel-Group General Attributes

The general attributes are common across more than one connection-profile type. IPsec remote access and clientless SSL VPN tunnels share most of the same general attributes. IPsec LAN-to-LAN tunnels use a subset. Refer to the Cisco Security Appliance Command Reference for complete descriptions of all commands. The following sections describe, in order, how to configure IPsec remote-access connection profiles.

Configuring IPsec Remote-Access Connection Profiles

Use an IPsec remote-access connection profile when setting up a connection between a remote client and a central-site security appliance, using a hardware or software client. To configure an IPsec remote-access connection profile, first configure the tunnel-group general attributes, then the IPsec remote-access attributes. An IPsec Remote Access VPN connection profile applies only to remote-access IPsec client connections. To configure an IPsec remote-access connection profile, see the following sections:

•Specifying a Name and Type for the IPsec Remote Access Connection Profile.

•Configuring IPsec Remote-Access Connection Profile General Attributes.

•Configuring IPsec Remote-Access Connection Profile IPsec Attributes.

Specifying a Name and Type for the IPsec Remote Access Connection Profile

Create the connection profile, specifying its name and type, by entering the tunnel-group command. For an IPsec remote-access tunnel, the type is remote-access
hostname(config)# tunnel-group tunnel_group_name type remote-access
hostname(config)# 
For example, to create an IPsec remote-access connection profile named TunnelGroup1, enter the following command:
hostname(config)# tunnel-group TunnelGroup1 type remote-access
hostname(config)# 
Configuring IPsec Remote-Access Connection Profile General Attributes

In general, you can accept the default values for all of the general attributes, although you might have a particular set of parameters that you want to change. To configure or change the connection profile general attributes, specify the parameters in the following steps.

Step 1 To configure the general attributes, enter the tunnel-group general-attributes command, which enters tunnel-group general-attributes configuration mode. The prompt changes to indicate the change in mode.
hostname(config)# tunnel-group tunnel_group_name general-attributes
hostname(config-tunnel-general)# 
Step 2 Specify the name of the authentication-server group, if any, to use. If you want to use the LOCAL database for authentication if the specified server group fails, append the keyword LOCAL:
hostname(config-tunnel-general)# authentication-server-group [(interface_name)] groupname 
[LOCAL]
hostname(config-tunnel-general)# 
The name of the authentication server group can be up to 16 characters long.

You can optionally configure interface-specific authentication by including the name of an interface after the group name. The interface name, which specifies where the IPsec tunnel terminates, must be enclosed in parentheses. The following command configures interface-specific authentication for the interface named test using the server named servergroup1 for authentication:
hostname(config-tunnel-general)# authentication-server-group (test) servergroup1
hostname(config-tunnel-general)# 
Step 3 Specify the name of the authorization-server group, if any, to use. When you configure this value, users must exist in the authorization database to connect:
hostname(config-tunnel-general)# authorization-server-group groupname
hostname(config-tunnel-general)# 
The name of the authorization server group can be up to 16 characters long. For example, the following command specifies the use of the authorization-server group FinGroup:
hostname(config-tunnel-general)# authorization-server-group FinGroup
hostname(config-tunnel-general)# 
Step 4 Specify the name of the accounting-server group, if any, to use:
hostname(config-tunnel-general)# accounting-server-group groupname
hostname(config-tunnel-general)# 
The name of the accounting server group can be up to 16 characters long. For example, the following command specifies the use of the accounting-server group named comptroller:
hostname(config-tunnel-general)# accounting-server-group comptroller
hostname(config-tunnel-general)# 
Step 5 Specify the name of the default group policy:
hostname(config-tunnel-general)# default-group-policy policyname
hostname(config-tunnel-general)# 
The name of the group policy can be up to 64 characters long. The following example sets DfltGrpPolicy as the name of the default group policy:
hostname(config-tunnel-general)# default-group-policy DfltGrpPolicy
hostname(config-tunnel-general)# 
Step 6 Specify the names or IP addresses of the DHCP server (up to 10 servers), and the names of the DHCP address pools (up to 6 pools). The defaults are no DHCP server and no address pool.
hostname(config-tunnel-general)# dhcp-server server1 [...server10]
hostname(config-tunnel-general)# address-pool [(interface name)] address_pool1 
[...address_pool6]
hostname(config-tunnel-general)# 
Note If you specify an interface name, you must enclosed it within parentheses.

You configure address pools with the ip local pool command in global configuration mode.

Step 7 Specify the attribute or attributes to use in deriving a name for an authorization query from a certificate. This attribute specifies what part of the subject DN field to use as the username for authorization:
hostname(config-tunnel-general)# username-from-certificate {primary-attribute 
[secondary-attribute] | use-entire-name}
For example, the following command specifies the use of the CN attribute as the username for authorization:
hostname(config-tunnel-general)# username-from-certificate CN
hostname(config-tunnel-general)# 
The authorization-dn-attributes are C (Country), CN (Common Name), DNQ (DN qualifier), EA (E-mail Address), GENQ (Generational qualifier), GN (Given Name), I (Initials), L (Locality), N (Name), O (Organization), OU (Organizational Unit), SER (Serial Number), SN (Surname), SP (State/Province), T (Title), UID (User ID), and UPN (User Principal Name).

Configuring IPsec Remote-Access Connection Profile IPsec Attributes

To configure the IPsec attributes for a remote-access connection profile, do the following steps. The following description assumes that you have already created the IPsec remote-access connection profile.

If you have a LAN-to-LAN configuration using IKE main mode, make sure that the two peers have the same IKE keepalive configuration. Both peers must have IKE keepalives enabled or both peers must have it disabled.

Note To reduce connectivity costs, disable IKE keepalives if this group includes any clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE keepalive mechanism prevents connections from idling and therefore from disconnecting.

If you do disable IKE keepalives, the client disconnects only when either its IKE or IPsec keys expire. Failed traffic does not disconnect the tunnel with the Peer Timeout Profile values as it does when IKE keepalives are enabled.

To configure the IPsec attributes for an IPsec connection profile, do the following steps:

Step 1 To specify the attributes of an IPsec remote-access connection profile, enter tunnel-group ipsec-attributes mode by entering the following command. The prompt changes to indicate the mode change:
hostname(config)# tunnel-group tunnel-group-name ipsec-attributes
hostname(config-tunnel-ipsec)# 
This command enters tunnel-group ipsec-attributes configuration mode, in which you configure the remote-access tunnel-group IPsec attributes.

For example, the following command designates that the tunnel-group ipsec-attributes mode commands that follow pertain to the connection profile named TG1. Notice that the prompt changes to indicate that you are now in tunnel-group ipsec-attributes mode:
hostname(config)# tunnel-group TG1 type remote-access
hostname(config)# tunnel-group TG1 ipsec-attributes
hostname(config-tunnel-ipsec)# 
Step 2 Specify the preshared key to support IKE connections based on preshared keys. For example, the following command specifies the preshared key xyzx to support IKE connections for an IPsec remote access connection profile:
hostname(config-tunnel-ipsec)# pre-shared-key xyzx
hostname(config-tunnel-ipsec)# 
Step 3 Specify whether to validate the identity of the peer using the peer's certificate:
hostname(config-tunnel-ipsec)# peer-id-validate option
hostname(config-tunnel-ipsec)# 
The available options are req (required), cert (if supported by certificate), and nocheck (do not check). The default is req.

For example, the following command specifies that peer-id validation is required:
hostname(config-tunnel-ipsec)# peer-id-validate req
hostname(config-tunnel-ipsec)# 
Step 4 Specify whether to enable sending of a certificate chain. The following command includes the root certificate and any subordinate CA certificates in the transmission:
hostname(config-tunnel-ipsec)# chain
hostname(config-tunnel-ipsec)# 
This attribute applies to all IPsec tunnel-group types.

Step 5 Specify the name of a trustpoint that identifies the certificate to be sent to the IKE peer:
hostname(config-tunnel-ipsec)# trust-point trust-point-name
hostname(config-tunnel-ipsec)# 
The following command specifies mytrustpoint as the name of the certificate to be sent to the IKE peer:
hostname(config-ipsec)# trust-point mytrustpoint
Step 6 Specify the ISAKMP (IKE) keepalive threshold and the number of retries allowed.
hostname(config-tunnel-ipsec)# isakmp keepalive threshold <number> retry <number>
hostname(config-tunnel-ipsec)# 
The threshold parameter specifies the number of seconds (10 through 3600) that the peer is allowed to idle before beginning keepalive monitoring. The retry parameter is the interval (2 through 10 seconds) between retries after a keepalive response has not been received. IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command.

For example, the following command sets the IKE keepalive threshold value to 15 seconds and sets the retry interval to 10 seconds:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold 15 retry 10
hostname(config-tunnel-ipsec)# 
The default value for the threshold parameter is 300 for remote-access and 10 for LAN-to-LAN, and the default value for the retry parameter is 2.

To specify that the central site ("head end") should never initiate ISAKMP monitoring, enter the following command:
hostname(config-tunnel-ipsec)# isakmp keepalive threshold infinite
hostname(config-tunnel-ipsec)# 
Step 7 Specify the ISAKMP hybrid authentication method, XAUTH or hybrid XAUTH.

You use isakmp ikev1-user-authentication command to implement hybrid XAUTH authentication when you need to use digital certificates for security appliance authentication and a different, legacy method for remote VPN user authentication, such as RADIUS, TACACS+ or SecurID. Hybrid XAUTH breaks phase 1 of IKE down into the following two steps, together called hybrid authentication:

a. The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

b. An XAUTH exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.

Note Before the authentication type can be set to hybrid, you must configure the authentication server, create a preshared key, and configure a trustpoint.

You can use the isakmp ikev1-user-authentication command with the optional interface parameter to specify a particular interface. When you omit the interface parameter, the command applies to all the interfaces and serves as a back-up when the per-interface command is not specified. When there are two isakmp ikev1-user-authentication commands specified for a connection profile, and one uses the interface parameter and one does not, the one specifying the interface takes precedence for that particular interface.

For example, the following commands enable hybrid XAUTH on the inside interface for a connection profile called example-group:
hostname(config)# tunnel-group example-group type remote-access
hostname(config)# tunnel-group example-group ipsec-attributes
hostname(config-tunnel-ipsec)# isakmp ikev1-user-authentication (inside) hybrid
hostname(config-tunnel-ipsec)# 
Configuring Client Software Update Using ASDM

The optional client update feature ensures acceptable Client revision levels. This feature lets administrators at a central location automatically notify VPN client users that it is time to update the VPN client software and the VPN 3002 hardware client image.

Remote users might be using outdated VPN software or hardware client versions. You can use the client-update feature to enable updating client revisions; specify the types and revision numbers of clients to which the update applies; provide a URL or IP address from which to get the update; and, in the case of Windows clients, optionally notify users that they should update their VPN client version. For Windows clients, you can provide a mechanism for users to accomplish that update. For VPN 3002 hardware client users, the update occurs automatically, with no notification. This feature applies only to the IPsec remote-access tunnel-group type.

If the client is already running a software version that is at least as high as those included on the list of revision numbers, it does not need to update its software. If the client is not running a software version on the list (or a higher version), it should update.

The VPN Client commands list the client type, VPN Client revisions, and image URL for each client VPN software package installed. For each client type, you can specify the acceptable client software revisions and the URL or IP address from which to download software upgrades, if necessary. The client update mechanism (described in detail under the Client Update window) uses this information to determine whether the software each VPN client is running is at an appropriate revision level and, if appropriate, to provide a notification message and an update mechanism to clients that are running outdated software. Specify the following fields to configure client update.

To configure the VPN Client software update feature, perform the following steps:

Step 1 Enable client update
client-update enable
This command enables client update, both globally and for specific tunnel groups. You must enable client update before you can send a client update notification to Windows, MAC OS X, and Linux VPN clients, or initiate an automatic update to hardware clients.

Step 2 Specify the type of client update that you want to configure. Use the client-update command:
client-update type client-type url image-url revisions
where:

•client-type lists the clients to upgrade: software or hardware, and for Windows software clients, all Windows or a subset. Possible values are:

–Win9X—Includes Windows 95, Windows 98 and Windows ME platforms.

–WinNT—Includes Windows NT 4.0, Windows 2000, Windows XP, and Windows Vista platforms.

–Windows—Includes all Windows based platforms.

–linux—Linux client.

–Mac OS X—Mac OS X client.

–solaris—Solaris client

–vpn3002—VPN3002 Hardware client.

If you specify windows, do not specify Windows versions individually. The secure gateway sends a separate notification message for each entry in a client-update list; therefore, your client-update entries must not overlap. For example, the value "Windows" includes all Windows platforms, and the value "WinNT" includes Windows Vista, Windows XP, Windows 2000, and Windows NT 4.0, so you would not specify both "Windows" and "Windows NT." To find out the client types and version information, click the lock icon at the top left corner of the Cisco Systems VPN Client main window and choose "About VPN Client".

The hardware client gets updated with a release of the ASA 5505 software or of the VPN 3002 hardware client.

Note If the client update feature has already been configured to support all Windows clients, you must remove that specification before specifying individual Windows client types.

•image-url—Specifies the URL or IP address from which to download the software image. This URL must point to a file appropriate for this client. For Windows, MAC OS X, and Linux-based clients, the URL must be in the form: http:// or https://. For hardware clients, the URL must be in the form tftp://.

– For Windows, MAC OS X, and Linux-based VPN clients: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:
http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe 
The directory is optional. You need the port number only if you use ports other than 80 for HTTP or 443 for HTTPS.

– For the hardware client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:
tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin 
•revisions—Specifies a comma-separated list of software image revisions appropriate for this client. If the user's client revision number matches or is higher than one of the specified revision numbers, there is no need to update the client, and, for Windows-based clients, the user does not receive an update notification. The following caveats apply:

– The revision list must include the software version for this update.

– Your entries must match exactly those on the URL for the VPN client, or the TFTP server for the hardware client.

– The TFTP server for distributing the hardware client image must be a robust TFTP server.

– A VPN client user must download an appropriate software version from the listed URL.

– The VPN 3002 hardware client software is automatically updated via TFTP, with no notification to the user.

Configuring Group Policies

A group policy is a set of user-oriented attribute/value pairs for IPsec connections that are stored either internally (locally) on the device or externally on a RADIUS server. The connection profile uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user.

Enter the group-policy commands in global configuration mode to assign a group policy to users or to modify a group policy for specific users.

The security appliance includes a default group policy. In addition to the default group policy, which you can modify but not delete, you can create one or more group policies specific to your environment.

You can configure internal and external group policies. Internal groups are configured on the security appliance's internal database. External groups are configured on an external authentication server, such as RADIUS. Group policies include the following attributes:

•Identity

•Server definitions

•Client firewall settings

•Tunneling protocols

•IPsec settings

•Hardware client settings

•Filters

•Client configuration settings

•Connection settings

Only a subset of group-policy parameters pertain specifically to the VPN Client. This section focuses only on the commands you use to configure those parameters on the security appliance. For a complete description of configuring group policies for the security appliance, see Cisco Security Appliance Command Line Configuration Guide.

Default Group Policy

The security appliance supplies a default group policy. You can modify this default group policy, but you cannot delete it. A default group policy, named DfltGrpPolicy, always exists on the security appliance, but this default group policy does not take effect unless you configure the security appliance to use it. When you configure other group policies, any attribute that you do not explicitly specify takes its value from the default group policy. To view the default group policy, enter the following command:
hostname(config)# show running-config all group-policy DfltGrpPolicy
hostname(config)# 
To configure the default group policy, enter the following command:
hostname(config)# group-policy DfltGrpPolicy internal
hostname(config)# 
Note The default group policy is always internal. Despite the fact that the command syntax is
hostname(config)# group-policy DfltGrpPolicy {internal | external}, you cannot change its type to external.

To change any of the attributes of the default group policy, use the group-policy attributes command to enter attributes mode, then specify the commands to change whatever attributes that you want to modify:
hostname(config)# group-policy DfltGrpPolicy attributes
Note The attributes mode applies only to internal group policies.

The default group policy, DfltGrpPolicy, that the security appliance provides is as follows:
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 ipv6-vpn-filter none
 vpn-tunnel-protocol IPSec svc webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 msie-proxy pac-url none
 vlan none
 nac-settings none
 address-pools none
 ipv6-address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  url-list value Engineering
  filter none
  homepage none
  html-content-filter none
  port-forward name Application Access
  port-forward disable 
  mapi disable
  http-proxy disable
  sso-server none
  svc dtls enable
  svc mtu 1406
  svc keep-installer installed
  svc keepalive 20
  svc rekey time none
  svc rekey method none
  svc dpd-interval client 30
  svc dpd-interval gateway 30
  svc compression deflate
  svc modules none
  svc profiles none
  svc ask none
  ike-retry-timeout 10
  ike-retry-count 3
  customization none
  keep-alive-ignore 4
  http-comp gzip
  download-max-size 2147483647
  upload-max-size 2147483647
  post-max-size 2147483647
  user-storage none
  storage-objects value cookies,credentials
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  unix-auth-uid 65534
  unix-auth-gid 65534
  file-entry enable
  file-browsing enable
  url-entry enable
  deny-message value Login was successful, but because certain criteria have not been met 
or due to some specific group policy, you do not have permission to use any of the VPN 
features. Contact your IT administrator for more information
hostname(config)# 
You can modify the default group policy, and you can also create one or more group policies specific to your environment.

Configuring Group Policies

A group policy can apply to any kind of tunnel. In each case, if you do not explicitly define a parameter, the group takes the value from the default group policy. To configure a group policy, follow the steps in the subsequent sections.

Configuring an Internal Group Policy

To configure an internal group policy, specify a name and type for the group policy:
hostname(config)# group-policy group_policy_name type
hostname(config)# 
For example, the following command creates the internal group policy named GroupPolicy1:
hostname(config)# group-policy GroupPolicy1 internal
hostname(config)# 
The default type is internal.

You can initialize the attributes of an internal group policy to the values of a preexisting group policy by appending the keyword from and specifying the name of the existing policy:
hostname(config)# group-policy group_policy_name internal from group_policy_name
hostname(config-group-policy)# 
hostname(config-group-policy)# 
Configuring Group Policy Attributes

For internal group policies, you can specify particular attribute values. To begin, enter group-policy attributes mode, by entering the group-policy attributes command in global configuration mode.
hostname(config)# group-policy name attributes
hostname(config-group-policy)# 
The prompt changes to indicate the mode change. The group-policy-attributes mode lets you configure attribute-value pairs for a specified group policy. In group-policy-attributes mode, explicitly configure the attribute-value pairs that you do not want to inherit from the default group. The commands to do this are described in the following sections.

Configuring VPN-Specific Attributes

Follow the steps in this section to set the VPN attribute values. The VPN attributes control the access hours, the number of simultaneous logins allowed, the timeouts, the egress VLAN or ACL to apply to VPN sessions, and the tunnel protocol:

Step 1 Set the VPN access hours. To do this, you associate a group policy with a configured time-range policy, using the vpn-access-hours command in group-policy configuration mode.
hostname(config-group-policy)# vpn-access-hours value {time-range | none}
A group policy can inherit a time-range value from a default or specified group policy. To prevent this inheritance, enter the none keyword instead of the name of a time-range in this command. This keyword sets VPN access hours to a null value, which allows no time-range policy.

The time-range variable is the name of a set of access hours defined in global configuration mode using the time-range command. The following example shows how to associate the group policy named FirstGroup with a time-range policy called 824:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-access-hours value 824
Step 2 Specify the number of simultaneous logins allowed for any user, using the vpn-simultaneous-logins command in group-policy configuration mode.
hostname(config-group-policy)# vpn-simultaneous-logins integer
The default value is 3. The range is an integer in the range 0 through 2147483647. A group policy can inherit this value from another group policy. Enter 0 to disable login and prevent user access. The following example shows how to allow a maximum of 4 simultaneous logins for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-simultaneous-logins 4
hostname(config-group-policy)# 
Note While the maximum limit for the number of simultaneous logins is very large, allowing several simultaneous logins could compromise security and affect performance.

Stale AnyConnect, IPsec Client, or Clientless sessions (sessions that are terminated abnormally) might remain in the session database, even though a "new" session has been established with the same username.

If the value of vpn-simultaneous-logins is 1, and the same user logs in again after an abnormal termination, then the stale session is removed from the database and the new session is established. If, however, the existing session is still an active connection and the same user logs in again, perhaps from another PC, the first session is logged off and removed from the database, and the new session is established.

If the number of simultaneous logins is a value greater than 1, then, when you have reached that maximum number and try to log in again, the session with the longest idle time is logged off. If all current sessions have been idle an equally long time, then the oldest session is logged off. This action frees up a session and allows the new login.

Step 3 Configure the user timeout period by entering the vpn-idle-timeout command in group-policy configuration mode or in username configuration mode:
hostname(config-group-policy)# vpn-idle-timeout {minutes | none}
hostname(config-group-policy)# 
The minimum time is 1 minute, and the maximum time is 35791394 minutes. The default is 30 minutes. If there is no communication activity on the connection in this period, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. The none keyword specifies that this connection uses the global WebVPN idle timeout period specified in the global WebVPN default-idle-timeout command. It sets the idle timeout to a null value, thereby disallowing an idle timeout.

The following example shows how to set a VPN idle timeout of 15 minutes for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-idle-timeout 15
hostname(config-group-policy)# 
Step 4 Configure a maximum amount of time for VPN connections, using the vpn-session-timeout command in group-policy configuration mode or in username configuration mode.
hostname(config-group-policy)# vpn-session-timeout {minutes | none}
hostname(config-group-policy)# 
The minimum time is 1 minute, and the maximum time is 35791394 minutes. There is no default value. At the end of this period of time, the security appliance terminates the connection.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a number of minutes with this command. Specifying the none keyword permits an unlimited session timeout period and sets session timeout with a null value, which disallows a session timeout.

The following example shows how to set a VPN session timeout of 180 minutes for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-session-timeout 180
hostname(config-group-policy)# 
Step 5 Specify the VPN connection policy for this group policy. For an IPsec connection, specify ipsec.
hostname(config-group-policy)# vpn-tunnel-protocol {webvpn | ipsec | l2tp-ipsec}
hostname(config-group-policy)# 
The default is ipsec. To remove the attribute from the running configuration, enter the no form of this command.
hostname(config-group-policy)# no vpn-tunnel-protocol [webvpn | ipsec | l2tp-ipsec]
hostname(config-group-policy)# 
The parameter values for this command follow:

•ipsec—Negotiates an IPsec tunnel between two peers (a remote access client or another secure gateway). Creates security associations that govern authentication, encryption, encapsulation, and key management.

•webvpn—Provides VPN services to remote users via an HTTPS-enabled web browser, and does not require a client.

•l2tp-ipsec—Negotiates an IPsec tunnel for an L2TP connection

Enter this command to configure one or more tunneling modes. You must configure at least one tunneling mode for users to connect over a VPN tunnel.

The following example shows how to configure the IPsec tunneling mode for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-tunnel-protocol ipsec
hostname(config-group-policy)# 
Configuring Security Attributes

The attributes in this section specify certain security settings for the group. We recommend accepting the default values for these parameters unless you have a good reason for changing them:

Step 1 Specify whether to let users store their login passwords on the client system, using the password-storage command with the enable keyword in group-policy configuration mode. To disable password storage, use the password-storage command with the disable keyword.
hostname(config-group-policy)# password-storage {enable | disable}
hostname(config-group-policy)# 
For security reasons, password storage is disabled by default. Enable password storage only on systems that you know to be in secure sites.

To remove the password-storage attribute from the running configuration, enter the no form of this command:
hostname(config-group-policy)# no password-storage
hostname(config-group-policy)# 
Specifying the no form enables inheritance of a value for password-storage from another group policy.

This command does not apply to interactive hardware client authentication or individual user authentication for hardware clients.

The following example shows how to enable password storage for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# password-storage enable
hostname(config-group-policy)# 
Step 2 Specify whether to enable IP compression, which is disabled by default.
hostname(config-group-policy)# ip-comp {enable | disable}
hostname(config-group-policy)# 
To enable LZS IP compression, enter the ip-comp command with the enable keyword in group-policy configuration mode. To disable IP compression, enter the ip-comp command with the disable keyword.

To remove the ip-comp attribute from the running configuration, enter the no form of this command. This enables inheritance of a value from another group policy.
hostname(config-group-policy)# no ip-comp
hostname(config-group-policy)# 
Enabling data compression might speed up data transmission rates for remote dial-in users connecting with modems.

Caution Data compression increases the memory requirement and CPU usage for each user session and consequently decreases the overall throughput of the security appliance. For this reason, we recommend that you enable data compression only for remote users connecting with a modem. Design a group policy specific to modem users, and enable compression only for them.

Step 3 Specify whether to require that users reauthenticate on IKE rekey by using the re-xauth command with the enable keyword in group-policy configuration mode. If you enable reauthentication on IKE rekey, the security appliance prompts the user to enter a username and password during initial Phase 1 IKE negotiation and also prompts for user authentication whenever an IKE rekey occurs. Reauthentication provides additional security.

If the configured rekey interval is very short, users might find the repeated authorization requests inconvenient. To avoid repeated authorization requests, disable reauthentication. To check the configured rekey interval, in monitoring mode, enter the show crypto ipsec sa command to view the security association lifetime in seconds and lifetime in kilobytes of data. To disable user reauthentication on IKE rekey, enter the disable keyword. Reauthentication on IKE rekey is disabled by default.
hostname(config-group-policy)# re-xauth {enable | disable}
hostname(config-group-policy)# 
To enable inheritance of a value for reauthentication on IKE rekey from another group policy, remove the re-xauth attribute from the running configuration by entering the no form of this command.
hostname(config-group-policy)# no re-xauth
hostname(config-group-policy)# 
Note Reauthentication fails if there is no user at the other end of the connection.

Step 4 Specify whether to restrict remote users to access only through the connection profile, using the group-lock command in group-policy configuration mode.
hostname(config-group-policy)# group-lock {value tunnel-grp-name | none}
hostname(config-group-policy)# no group-lock
hostname(config-group-policy)# 
The tunnel-grp-name variable specifies the name of an existing connection profile that the security appliance requires for the user to connect. Group-lock restricts users by checking if the group configured in the VPN client is the same as the connection profile to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not configure group-lock, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default.

To remove the group-lock attribute from the running configuration, enter the no form of this command. This option allows inheritance of a value from another group policy.

To disable group-lock, enter the group-lock command with the none keyword. The none keyword sets group-lock to a null value, thereby allowing no group-lock restriction. It also prevents inheriting a group-lock value from a default or specified group policy

Step 5 Specify whether to enable perfect forward secrecy. In IPsec negotiations, perfect forward secrecy ensures that each new cryptographic key is unrelated to any previous key. A group policy can inherit a value for perfect forward secrecy from another group policy. Perfect forward secrecy is disabled by default. To enable perfect forward secrecy, use the pfs command with the enable keyword in group-policy configuration mode.
hostname(config-group-policy)# pfs {enable | disable}
hostname(config-group-policy)# 
To disable perfect forward secrecy, enter the pfs command with the disable keyword.

To remove the perfect forward secrecy attribute from the running configuration and prevent inheriting a value, enter the no form of this command.
hostname(config-group-policy)# no pfs 
hostname(config-group-policy)# 
Configuring the Banner Message

Specify the banner, or welcome message, if any, that you want to display. The default is no banner. The message that you specify is displayed on remote clients when they connect. To specify a banner, enter the banner command in group-policy configuration mode. The banner text can be up to 510 characters long. Enter the "\n" sequence to insert a carriage return.

Note A carriage-return/line-feed included in the banner counts as two characters.

To delete a banner, enter the no form of this command. Be aware that using the no version of the command deletes all banners for the group policy.

A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the none keyword instead of specifying a value for the banner string, as follows:
hostname(config-group-policy)# banner {value banner_string | none}
The following example shows how to create a banner for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# banner value Welcome to Cisco Systems 7.0.
Configuring IPsec-UDP Attributes

IPsec over UDP, sometimes called IPsec through NAT, lets a Cisco VPN client or hardware client connect via UDP to a security appliance that is running NAT. It is disabled by default. IPsec over UDP is proprietary; it applies only to remote-access connections, and it requires mode configuration. The security appliance exchanges configuration parameters with the client while negotiating SAs. Using IPsec over UDP may slightly degrade system performance.

To enable IPsec over UDP, configure the ipsec-udp command with the enable keyword in group-policy configuration mode, as follows:
hostname(config-group-policy)# ipsec-udp {enable | disable}
hostname(config-group-policy)# no ipsec-udp
To use IPsec over UDP, you must also configure the ipsec-udp-port command, as described below.

To disable IPsec over UDP, enter the disable keyword. To remove the IPsec over UDP attribute from the running configuration, enter the no form of this command. This enables inheritance of a value for IPsec over UDP from another group policy.

The Cisco VPN client must also be configured to use IPsec over UDP (it is configured to use it by default). The VPN 3002 requires no configuration to use IPsec over UDP.

The following example shows how to set IPsec over UDP for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# ipsec-udp enable
If you enabled IPsec over UDP, you must also configure the ipsec-udp-port command in group-policy configuration mode. This command sets a UDP port number for IPsec over UDP. In IPsec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic. The port numbers can range from 4001 through 49151. The default port value is 10000.

To disable the UDP port, enter the no form of this command. This enables inheritance of a value for the IPsec over UDP port from another group policy.
hostname(config-group-policy)# ipsec-udp-port port 
The following example shows how to set an IPsec UDP port to port 4025 for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# ipsec-udp-port 4025
Configuring Split-Tunneling Attributes

Split tunneling lets a remote-access IPsec client conditionally direct packets over an IPsec tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the IPsec tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. This command applies this split tunneling policy to a specific network.

Setting the Split-Tunneling Policy

Set the rules for tunneling traffic by specifying the split-tunneling policy:
hostname(config-group-policy)# split-tunnel-policy {tunnelall | tunnelspecified | 
excludespecified}
hostname(config-group-policy)# no split-tunnel-policy
The default is to tunnel all traffic. To set a split tunneling policy, enter the split-tunnel-policy command in group-policy configuration mode. To remove the split-tunnel-policy attribute from the running configuration, enter the no form of this command. This enables inheritance of a value for split tunneling from another group policy.

The excludespecified keyword defines a list of networks to which traffic goes in the clear. This feature is useful for remote users who want to access devices on their local network, such as printers, while they are connected to the corporate network through a tunnel. This option applies only to the Cisco VPN client. Configure the ACL is one of the following three methods:

•0.0.0.0/0.0.0.0 (Any)—The client learns the local network from the local adapter and routes the local network traffic through the local adapter while sending all other traffic through the VPN tunnel.

•0.0.0.0/255.255.255.255 (host 0.0.0.0)—The client routes the local network traffic through the local adapter and all other traffic through the VPN tunnel.

•10.0.0.0/0.255.255.255—the client routes traffic for the 10.0.0.0/8 network through the local adapter and all other traffic through the VPN tunnel.

The tunnelall keyword specifies that no traffic goes in the clear or to any other destination than the security appliance. This, in effect, disables split tunneling. Remote users reach Internet networks through the corporate network and do not have access to local networks. This is the default option.

The tunnelspecified keyword tunnels all traffic from or to the specified networks. This option enables split tunneling. It lets you create a network list of addresses to tunnel. Data to all other addresses travels in the clear and is routed by the remote user's Internet service provider.

Note Split tunneling is primarily a traffic management feature, not a security feature. For optimum security, we recommend that you do not enable split tunneling.

The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-tunnel-policy tunnelspecified 
Creating a Network List for Split-Tunneling

Create a network list for split tunneling using the split-tunnel-network-list command in group-policy configuration mode.
hostname(config-group-policy)# split-tunnel-network-list {value access-list_name | none}
hostname(config-group-policy)# no split-tunnel-network-list value [access-list_name]
Split tunneling network lists distinguish networks that require traffic to travel across the tunnel from those that do not require tunneling. The security appliance makes split tunneling decisions on the basis of a network list, which is an ACL that consists of a list of addresses on the private network. Only standard-type ACLs are allowed.

The value access-list name parameter identifies an access list that enumerates the networks to tunnel or not tunnel.

The none keyword indicates that there is no network list for split tunneling; the security appliance tunnels all traffic. Specifying the none keyword sets a split tunneling network list with a null value, thereby disallowing split tunneling. It also prevents inheriting a default split tunneling network list from a default or specified group policy.

To delete a network list, enter the no form of this command. To delete all split tunneling network lists, enter the no split-tunnel-network-list command without arguments. This command deletes all configured network lists, including a null list if you created one by entering the none keyword.

When there are no split tunneling network lists, users inherit any network lists that exist in the default or specified group policy. To prevent users from inheriting such network lists, enter the split-tunnel-network-list none command.

The following example shows how to set a network list called FirstList for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-tunnel-network-list FirstList
Configuring Domain Attributes for Tunneling

You can specify a default domain name for tunneled packets or a list of domains to be resolved through the split tunnel. The following sections describe how to set these domains.

Defining a Default Domain Name for Tunneled Packets

The security appliance passes the default domain name to the IPsec client to append to DNS queries that omit the domain field. When there are no default domain names, users inherit the default domain name in the default group policy. To specify the default domain name for users of the group policy, enter the default-domain command in group-policy configuration mode. To delete a domain name, enter the no form of this command.
hostname(config-group-policy)# default-domain {value domain-name | none}
hostname(config-group-policy)# no default-domain [domain-name]
The value domain-name parameter identifies the default domain name for the group. To specify that there is no default domain name, enter the none keyword. This command sets a default domain name with a null value, which disallows a default domain name and prevents inheriting a default domain name from a default or specified group policy.

To delete all default domain names, enter the no default-domain command without arguments. This command deletes all configured default domain names, including a null list if you created one by entering the default-domain command with the none keyword. The no form allows inheriting a domain name.

The following example shows how to set a default domain name of FirstDomain for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# default-domain value FirstDomain
Defining a List of Domains for Split Tunneling

Enter a list of domains to be resolved through the split tunnel. Enter the split-dns command in group-policy configuration mode. To delete a list, enter the no form of this command.

When there are no split tunneling domain lists, users inherit any that exist in the default group policy. To prevent users from inheriting such split tunneling domain lists, enter the split-dns command with the none keyword.

To delete all split tunneling domain lists, enter the no split-dns command without arguments. This deletes all configured split tunneling domain lists, including a null list created by issuing the split-dns command with the none keyword.

The parameter value domain-name provides a domain name that the security appliance resolves through the split tunnel. The none keyword indicates that there is no split DNS list. It also sets a split DNS list with a null value, thereby disallowing a split DNS list, and prevents inheriting a split DNS list from a default or specified group policy. The syntax of the command is as follows:
hostname(config-group-policy)# split-dns {value domain-name1 [domain-name2... 
domain-nameN] | none}
hostname(config-group-policy)# no split-dns [domain-name domain-name2 domain-nameN]
Enter a single space to separate each entry in the list of domains. There is no limit on the number of entries, but the entire string can be no longer than 255 characters. You can use only alphanumeric characters, hyphens (-), and periods (.). If the default domain name is to be resolved through the tunnel, you must explicitly include that name in this list.

The following example shows how to configure the domains Domain1, Domain2, Domain3, and Domain4 to be resolved through split tunneling for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# split-dns value Domain1 Domain2 Domain3 Domain4
Configuring DHCP Intercept

A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the security appliance limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.

DHCP Intercept lets Microsoft Windows XP clients use split-tunneling with the security appliance. The security appliance replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to Windows XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.

The intercept-dhcp command enables or disables DHCP intercept. The syntax of this command is as follows:

[no] intercept-dhcp
hostname(config-group-policy)# intercept-dhcp netmask {enable | disable} 
hostname(config-group-policy)#
The netmask variable provides the subnet mask for the tunnel IP address. The no version of the command removes the DHCP intercept from the configuration.

The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# intercept-dhcp enable
Configuring Backup Server Attributes

Configure backup servers if you plan on using them. IPsec backup servers let a VPN client connect to the central site when the primary secure gateway is unavailable.When you configure backup servers, the security appliance pushes the server list to the client as the IPsec tunnel is established. Backup servers do not exist until you configure them, either on the client or on the primary secure gateway.

Configure backup servers either on the client or on the primary secure gateway. If you configure backup servers on the security appliance, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured.

Note If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from that of the primary DNS and WINS servers. Otherwise, if clients behind a hardware client obtain DNS and WINS information from the hardware client via DHCP, and the connection to the primary server is lost, and the backup servers have different DNS and WINS information, clients cannot be updated until the DHCP lease expires. In addition, if you use hostnames and the DNS server is unavailable, significant delays can occur.

To configure backup servers, enter the backup-servers command in group-policy configuration mode:
hostname(config-group-policy)# backup-servers {server1 server2... server10 | 
clear-client-config | keep-client-config}
To remove a backup server, enter the no form of this command with the backup server specified. To remove the backup-servers attribute from the running configuration and enable inheritance of a value for backup-servers from another group policy, enter the no form of this command without arguments.
hostname(config-group-policy)# no backup-servers [server1 server2... server10 | 
clear-client-config | keep-client-config]
The clear-client-config keyword specifies that the client uses no backup servers. The security appliance pushes a null server list.

The keep-client-config keyword specifies that the security appliance sends no backup server information to the client. The client uses its own backup server list, if configured. This is the default.

The server1 server 2.... server10 parameter list is a space-delimited, priority-ordered list of servers for the VPN client to use when the primary security appliance is unavailable. This list identifies servers by IP address or hostname. The list can be 500 characters long, and it can contain up to10 entries.

The following example shows how to configure backup servers with IP addresses 10.10.10.1 and 192.168.10.14, for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# backup-servers 10.10.10.1 192.168.10.14
Configuring Address Pools

Configure a list of address pools for allocating addresses to remote clients by entering the address-pools command in group-policy attributes configuration mode:
hostname(config-group-policy)# address-pools value address_pool1 [...address_pool6]
hostname(config-group-policy)#
The address-pools settings in this command override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation.

The order in which you specify the pools is significant. The security appliance allocates addresses from these pools in the order in which the pools appear in this command.

To remove the attribute from the group policy and enable inheritance from other sources of group policy, use the no form of this command:
hostname(config-group-policy)# no address-pools value address_pool1 [...address_pool6] 
hostname(config-group-policy)#
The command address-pools none disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy:
hostname(config-group-policy)# address-pools none
hostname(config-group-policy)#
The command no address pools none removes the address-pools none command from the configuration, restoring the default value, which is to allow inheritance.
hostname(config-group-policy)# no address-pools none
hostname(config-group-policy)#

The syntax elements of this command are as follows:

•address_pool—Specifies the name of the address pool configured with the ip local pool command. You can specify up to 6 local address pools.

•none—Specifies that no address pools are configured and disables inheritance from other sources of group policy.

•value—Specifies a list of up to 6 address pools from which to assign addresses.

The following example entered in config-general configuration mode, configures pool 1 and pool20 as lists of address pools to use for allocating addresses to remote clients for GroupPolicy1:
hostname(config)# ip local pool pool 192.168.10.1-192.168.10.100 mask 255.255.0.0
hostname(config)# ip local pool pool20 192.168.20.1-192.168.20.200 mask 255.255.0.0
hostname(config)# group-policy GroupPolicy1 attributes
hostname(config-group-policy)# address-pools value pool1 pool20
hostname(config-group-policy)# 
Configuring Firewall Policies

A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC, and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN. Remote users connecting to the security appliance with the VPN client can choose the appropriate firewall option.

Set personal firewall policies that the security appliance pushes to the VPN client during IKE tunnel negotiation by using the client-firewall command in group-policy configuration mode. To delete a firewall policy, enter the no form of this command.

To delete all firewall policies, enter the no client-firewall command without arguments. This command deletes all configured firewall policies, including a null policy if you created one by entering the client-firewall command with the none keyword.

When there are no firewall policies, users inherit any that exist in the default or other group policy. To prevent users from inheriting such firewall policies, enter the client-firewall command with the none keyword.

The Add or Edit Group Policy window, Client Firewall tab, lets you configure firewall settings for VPN clients for the group policy being added or modified.

Note Only VPN clients running Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients.

In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the security appliance. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic "are you there?" messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the security appliance.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the security appliance, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which enforces it.

Enter the following commands to set the appropriate client firewall parameters. You can configure only one instance of this command. Table 3-1, following this set of commands, explains the syntax elements of these commands:

Cisco Integrated Firewall
hostname(config-group-policy)# client-firewall {opt | req} cisco-integrated acl-in ACL 
acl-out ACL
Cisco Security Agent
hostname(config-group-policy)# client-firewall {opt | req} cisco-security-agent
No Firewall
hostname(config-group-policy)# client-firewall none
Custom Firewall
hostname(config-group-policy)# client-firewall {opt | req} custom vendor-id num product-id 
num policy {AYT | CPP acl-in ACL acl-out ACL} [description string]
Zone Labs Firewalls
hostname(config-group-policy)# client-firewall {opt | req} zonelabs-integrity
Note When the firewall type is zonelabs-integrity, do not include arguments. The Zone Labs Integrity Server determines the policies.
hostname(config-group-policy)# client-firewall {opt | req} zonelabs-zonealarm policy {AYT 
| CPP acl-in ACL acl-out ACL}
hostname(config-group-policy)# client-firewall {opt | req} zonelabs-zonealarmorpro policy 
{AYT | CPP acl-in ACL acl-out ACL}
client-firewall {opt | req} zonelabs-zonealarmpro policy {AYT | CPP acl-in ACL acl-out 
ACL}
Sygate Personal Firewalls
hostname(config-group-policy)# client-firewall {opt | req} sygate-personal
hostname(config-group-policy)# client-firewall {opt | req} sygate-personal-pro
hostname(config-group-policy)# client-firewall {opt | req} sygate-security-agent
Network Ice, Black Ice Firewall:
hostname(config-group-policy)# client-firewall {opt | req} networkice-blackice
Table 3-1 client-firewall Command Keywords and Variables

Parameter

Description

acl-in ACL

Provides the policy the client uses for inbound traffic.

acl-out ACL

Provides the policy the client uses for outbound traffic.

AYT

Specifies that the client PC firewall application controls the firewall policy. The security appliance checks to make sure that the firewall is running. It asks, "Are You There?" If there is no response, the security appliance tears down the tunnel.

cisco-integrated

Specifies Cisco Integrated firewall type.

cisco-security-agent

Specifies Cisco Intrusion Prevention Security Agent firewall type.

CPP

Specifies Policy Pushed as source of the VPN client firewall policy.

custom

Specifies Custom firewall type.

description string

Describes the firewall.

networkice-blackice

Specifies Network ICE Black ICE firewall type.

none

Indicates that there is no client firewall policy. Sets a firewall policy with a null value, thereby disallowing a firewall policy. Prevents inheriting a firewall policy from a default or specified group policy.

opt

Indicates an optional firewall type.

product-id

Identifies the firewall product.

req

Indicates a required firewall type.

sygate-personal

Specifies Sygate Personal firewall type.

sygate-personal-pro

Specifies Sygate Personal Pro firewall type.

sygate-security-agent

Specifies Sygate Security Agent firewall type.

vendor-id

Identifies the firewall vendor.

zonelabs-integrity

Specifies Zone Labs Integrity Server firewall type.

zonelabs-zonealarm

Specifies Zone Labs Zone Alarm firewall type.

zonelabs-zonealarmorpro policy

Specifies Zone Labs Zone Alarm or Pro firewall type.

zonelabs-zonealarmpro policy

Specifies Zone Labs Zone Alarm Pro firewall type.

The following example shows how to set a client firewall policy that requires Cisco Intrusion Prevention Security Agent for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# client-firewall req cisco-security-agent
hostname(config-group-policy)# 
Configuring Client Access Rules

Configure rules that limit the remote access client types and versions that can connect via IPsec through the security appliance by using the client-access-rule command in group-policy configuration mode. Construct rules according to these guidelines:

•If you do not define any rules, the security appliance permits all connection types.

•When a client matches none of the rules, the security appliance denies the connection. If you define a deny rule, you must also define at least one permit rule; otherwise, the security appliance denies all connections.

•For both software and hardware clients, type and version must exactly match their appearance in the show vpn-sessiondb remote display.

•The * character is a wildcard, which you can enter multiple times in each rule. For example, client-access rule 3 deny type * version 3.* creates a priority 3 client access rule that denies all client types running release versions 3.x software.

•You can construct a maximum of 25 rules per group policy.

•There is a limit of 255 characters for an entire set of rules.

•You can enter n/a for clients that do not send client type and/or version.

To delete a rule, enter the no form of this command. This command is equivalent to the following command:
hostname(config-group-policy)# client-access-rule 1 deny type "Cisco VPN Client" version 
4.0
To delete all rules, enter the no client-access-rule command without arguments. This deletes all configured rules, including a null rule if you created one by issuing the client-access-rule command with the none keyword.

By default, there are no access rules. When there are no client access rules, users inherit any rules that exist in the default group policy.

To prevent users from inheriting client access rules, enter the client-access-rule command with the none keyword. The result of this command is that all client types and versions can connect.
hostname(config-group-policy)# client-access rule priority {permit | deny} type type 
version {version | none}
hostname(config-group-policy)# no client-access rule [priority {permit | deny} type type 
version version]
Table 3-2 explains the meaning of the keywords and parameters in these commands.

Table 3-2 client-access rule Command Keywords and Variables

Parameter

Description

deny

Denies connections for devices of a particular type and/or version.

none

Allows no client access rules. Sets client-access-rule to a null value, thereby allowing no restriction. Prevents inheriting a value from a default or specified group policy.

permit

Permits connections for devices of a particular type and/or version.

priority

Determines the priority of the rule. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type and/or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.

type type

Identifies device types via free-form strings, for example VPN 3002. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can enter the * character as a wildcard.

version version

Identifies the device version via free-form strings, for example 7.0. A string must match exactly its appearance in the show vpn-sessiondb remote display, except that you can enter the * character as a wildcard.

The following example shows how to create client access rules for the group policy named FirstGroup. These rules permit Cisco VPN clients running software version 4.x, while denying all Windows NT clients:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# client-access-rule 1 deny type WinNT version *
hostname(config-group-policy)# client-access-rule 2 permit "Cisco VPN Client" version 4.*
Note The "type" field is a free-form string that allows any value, but that value must match the fixed value that the client sends to the security appliance at connect time.

Example: Configuring a Security Appliance for the VPN Client Using CLI

The following example shows one way of configuring a security appliance for a VPN Client connection. the commands specifically relevant to the VPN Client are highlighted in bold type:
group-policy Engineering attributes
        vpn-tunnel-protocol IPsec 
      configure terminal
      tunnel-group TestTunnelGroup1 general-attributes
        accounting-server-group ACS-1
        default-group-policy Engineering
        strip-group
        strip-realm
        no dhcp-server  209.165.200.200
        dhcp-server  209.165.200.201
        override-account-disable
        password-management  password-expire-in-days 0
        authentication-server-group (inside) ACS-1 LOCAL
        authentication-server-group  ACS-1 LOCAL
        authorization-server-group (inside) ACS-1
        authorization-server-group  LOCAL
        address-pool (test) Engineering
      tunnel-group TestTunnelGroup1 ipsec-attributes
        chain
        pre-shared-key **********
        isakmp keepalive disable
        trust-point ASDM_TrustPoint11
        client-update type Windows url http://www.cisco.com rev-nums 4.6,4.7,4.8,4.9,5.0
        client-update type vpn3002 url tftp://www.cisco.com rev-nums 4.6
		client-update type asa5505 component image url https://www.cisco.com rev-nums 7.2 
        isakmp ikev1-user-authentication (inside) hybrid 
      tunnel-group TestTunnelGroup1 ppp-attributes
        authentication ms-chap-v2
      vpn-addr-assign local reuse-delay 5
      group-delimiter #