SCEP forwarding URL—Address of the CA, required when
SCEP Proxy is configured in the client profile.
Address Pools—Specifies the name of one or more IPv4
address pools to use for this group policy. If the Inherit check box is
checked, the group policy uses the IPv4 address pool specified in the Default
Group Policy. See for information on adding or editing an IPv4 address pool.
You can specify both an IPv4 and an IPv6 address pool for an
internal group policy.
Select—Uncheck the Inherit checkbox to activate this
Select to open the Address Pools dialog box, which shows the
pool name, starting and ending addresses, and subnet mask of address pools
available for client address assignment and lets you choose, add, edit, delete,
and assign entries from that list.
IPv6 Address Pools—Specifies the name of one or more
IPv6 address pools to use for this group policy.
Select—Uncheck the Inherit checkbox to activate this button.
to open the Select Address Pools dialog box, as previously
described. See for information on adding or editing an IPv6 address pool.
More Options—Click the down arrows at the right of
the field to display additional configurable options for this group policy.
Tunneling Protocols—Specifies the tunneling
protocols that this group can use. Users can use only the selected protocols.
The choices are as follows:
Clientless SSL VPN—Specifies the use of VPN via
SSL/TLS, which uses a web browser to establish a secure remote-access tunnel to
an ASA; requires neither a software nor hardware client. Clientless SSL VPN can
provide easy access to a broad range of enterprise resources, including
corporate websites, web-enabled applications, NT/AD file share (web-enabled),
e-mail, and other TCP-based applications from almost any computer that can
reach HTTPS Internet sites.
SSL VPN Client—Specifies the use of the Cisco
AnyConnect VPN client or the legacy SSL VPN client. If you are using the
AnyConnect client, you must choose this protocol for Mobile User Security (MUS)
to be supported.
IPsec IKEv1—IP Security Protocol. Regarded as the
most secure protocol, IPsec provides the most complete architecture for VPN
tunnels. Both Site-to-Site (peer-to-peer) connections and Cisco VPN
client-to-LAN connections can use IPsec IKEv1.
IPsec IKEv2—Supported by the AnyConnect Secure
Mobility Client. AnyConnect connections using IPsec with IKEv2 provide advanced
features such as software updates, client profiles, GUI localization
(translation) and customization, Cisco Secure Desktop, and SCEP proxy.
L2TP over IPsec—Allows remote users with VPN clients
provided with several common PC
and mobile PC operating systems to establish
secure connections over the public IP network
to the security appliance and
private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the
data. The security appliance must be configured for IPsec transport mode.
Filter—Specifies which access control list to use
for an IPv4 or an IPv6 connection, or whether to inherit the value from the
group policy. Filters consist of rules that determine whether to allow or
reject tunneled data packets coming through the ASA, based on criteria such as
source address, destination address, and protocol. To configure filters and
NAC Policy—Selects the name of a Network Admission
Control policy to apply to this group policy. You can assign an optional NAC
policy to each group policy. The default value is --None--.
Manage—Opens the Configure NAC Policy dialog box.
After configuring one or more NAC policies, the NAC policy names appear as
options in the drop-down list next to the NAC Policy attribute.
Access Hours—Selects the name of an existing access
hours policy, if any, applied to this user or create a new access hours policy.
The default value is Inherit, or, if the Inherit check box is not checked, the
default value is --Unrestricted--. Click
Manage to open the Browse Time Range dialog box, in
which you can add, edit, or delete a time range.
Simultaneous Logins—Specifies the maximum number of
simultaneous logins allowed for this user. The default value is 3. The minimum
value is 0, which disables login and prevents user access.
While there is no maximum limit, allowing several simultaneous
connections might compromise security and affect performance.
Restrict Access to VLAN—(Optional) Also called “VLAN
mapping,” this parameter specifies the egress VLAN interface for sessions to
which this group policy applies. The ASA forwards all traffic from this group
to the selected VLAN. Use this attribute to assign a VLAN to the group policy
to simplify access control. Assigning a value to this attribute is an
alternative to using ACLs to filter traffic on a session. In addition to the
default value (Unrestricted), the drop-down list shows only the VLANs that are
configured in this ASA.
This feature works for HTTP connections, but not for FTP and
Connection Profile (Tunnel Group) Lock—This
parameter permits remote VPN access only with the selected connection profile
(tunnel group), and prevents access with a different connection profile. The
default inherited value is None.
Maximum Connect Time—If the Inherit check box is not checked, this parameter sets the maximum user connection time in minutes.
At the end of this time, the system terminates the connection. The minimum is 1minute, and the maximum is 35791394 minutes (over 4000 years). To allow unlimited connection time, check Unlimited (default).
Idle Timeout—If the Inherit check box is not checked, this parameter sets the idle timeout in minutes.
If there is no communication activity on the connection in this period, the system terminates the connection. The minimum time is 1 minute, the maximum time is 10080 minutes, and the default is 30 minutes. To allow unlimited connection time, check Unlimited.
Security Group Tag (SGT)—Enter the numerical value
of the SGT tag that will be assigned to VPN users connecting with this group
On smart card removal—With the default option,
Disconnect, the client tears down the connection if the smart card used for
authentication is removed. Click
Keep the connection if you do not want to require
users to keep their smart cards in the computer for the duration of the
Smart card removal configuration only works on Microsoft Windows
using RSA smart cards.
Maximum Connection Time Alert Interval—The interval of time before max connection time is reached that a message will be displayed to the user.
If you uncheck the Inherit check box, the Default check box is checked automatically. This sets the session alert interval to 30 minutes. If you want to specify a new value, uncheck Default and specify a session alert interval from 1 to 30 minutes.
Periodic Certificate Authentication Interval—The interval of time in hours, before certificate authentication is redone periodically.
If the Inherit check box is not checked, you can set the interval for performing periodic certificate verification. The range is between 1 and 168 hours, and the default is disabled. To allow unlimited verification, check Unlimited.