ASA Group Policies Dialog Box
Use the Add or Edit ASA Group Policies dialog box to create, copy, and edit an ASA user group policies object.
ASA group policies are configured on ASA security appliances in Easy VPN topologies, remote access IPSec VPNs, and remote access SSL VPNs. When you configure an Easy VPN or remote access VPN, you must create group policies to which remote clients will belong. A group policy is a set of user-oriented attribute/value pairs for VPN connections that are stored either internally (locally) on the device or externally on a AAA server. The tunnel group uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users rather than having to specify each attribute individually for each user.
Note |
You must select the technology for which you are creating the object. Depending on the selected technology, the appropriate settings are available for configuration. If you select the IKEv1 or IKEv2 options, the IKE Proposal and IPSec Proposal policies must also be configured to support the selected IKE version. |
From version 4.18, Cisco Security Manager has introduced the option to override group policies. In the ASA Group Policy page, you can enable device overrides and edit device overrides from right-click menu. When override is enabled,
Navigation Path
Select ASA Group Policies in the Policy Object Manager. Right-click inside the work area and select New Object or right-click a row and select Edit Object.
Tip |
You can also create objects while configuring policies that use this type of object, including Connection Profile policies for remote access and Easy VPN, or the Group Policies policy for remote access VPNs. |
Related Topics
Field Reference
Element |
Description |
||
---|---|---|---|
Name |
The object name, which can be up to 128 characters. Object names are not case-sensitive. For more information, see Creating Policy Objects. |
||
Description |
An optional description of the object. |
||
Settings Pane The body of the dialog box is a pane with a table of contents on the left and settings related to the item selected in the table of contents on the right. You must first configure technology settings, then you can select items from the table of contents on the left and configure the options you require. Your selections on the Technology page control which options are available on these pages and in the table of contents. The top folders in the table of contents represent the VPN technologies or other settings that you can configure, and are explained next. |
|||
Technology settings |
These settings control what you can define in the group policy:
If you select External, the only attributes you can configure are the name of the AAA server group object that identifies the AAA server and its password.
After you select an external server group, the Password and Confirm fields become active. Enter the alphanumeric password to use for authenticating with the server in both fields. The password can be a maximum of 128 characters; spaces are not allowed. |
||
DNS/WINS |
The DNS and WINS servers and the domain name that should be pushed to clients associated with the group. See ASA Group Policies DNS/WINS Settings. |
||
Split Tunneling |
Settings to allow a remote client to conditionally direct encrypted packets through a secure tunnel to the central site and simultaneously allow clear text tunnels to the Internet through a network interface. See ASA Group Policies Split Tunneling Settings. |
||
Easy VPN/IPSec VPN |
Settings for Easy VPN and remote access IPSec VPNs:
|
||
SSL VPN |
Settings for SSL VPN:
|
||
Connection Settings |
The connection settings for the group, such as the session and idle timeouts, including the banner text. See ASA Group Policies Connection Settings. |
||
General Settings |
|
Override ASA Group Policy
In Cisco Security Manager, group policies are created for the devices and maintained at the Cisco Security Manager level. When there is an upgrade, on rediscovery, Cisco Security Manager recreates these policies as new (with a suffix to the policy name). To overcome this duplication, from version 4.18, an Allow Value Override per device check box is used to set the group policy override on the specific device(s). For more information, see Managing Object Overrides.
You can edit the device-level overrides for the group policies. See Policy Object Overrides Window.
Supported CLIs in Remote Access VPN Multi-Context Mode - Group Policy
The following CLIs are supported for Group Policy in ASA version 9.5(2) for remote access VPN in multiple context mode. These CLIs are supported in Admin and User Context.
Note |
For the configurations that are not supported, Security Manager displays a warning message that you can ignore. No delta will be generated. |
-
Address-pools
-
Banner
-
Client-bypass-protocol
-
Default-domain
-
Dhcp-network-scope
-
Dns-server
-
Exit
-
Gateway-fqdn
-
Gateway-fqdn
-
Ipv6-address-pools
-
Ipv6-address-pools
-
Msie-proxy
-
No
-
Security-group-tag
-
Smartcard-removal-disconnect
-
Periodic-authentication
-
Split-dns
-
Split-tunnel-all-dns
-
Split-tunnel-network-list
-
Split-tunnel-policy
-
Vpn-access-hours
-
Vpn-filter (already supported in multi-mode for S2S)
-
Vpn-simultaneous-logins
-
Vpn-idle-timeout (already supported in multi-mode for S2S)
-
Vpn-session-timeout (already supported in multi-mode for S2S)
-
Vpn-tunnel-protocol ssl-client
-
Wins-server
-
Webvpn
-
Anyconnect-custom
-
anyconnect Dpd-interval
-
anyconnect dtls
-
anyconnect firewall-rule
-
anyconnect keep-installer
-
anyconnect modules
-
anyconnect Mtu
-
anyconnect routing-filtering-ignore
-
anyconnect Ssl
-
exit
-
homepage value | none
-
no
-
ASA Group Policies Client Configuration Settings
Use the Client Configuration settings page to configure the Cisco client parameters for the ASA group policy for Easy VPN or remote access VPN.
Client Configuration is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Navigation Path
Select ASA Group Policies Dialog Box.
from the table of contents in theField Reference
Element |
Description |
||
---|---|---|---|
Store Password on Client System |
Whether to allow users to store a password on their local systems. Enable this feature only if you are certain that the local systems will be in secure sites. |
||
Enable IPsec over UDP UDP Port |
Whether to allow a Cisco VPN client or hardware client to connect using UDP to a security appliance that is running NAT. If you select this option, specify the UDP port number within the range of 4001-49151. In IPsec negotiations, the security appliance listens on the configured port and forwards UDP traffic for that port even if other filter rules drop UDP traffic.
|
||
IPsec Backup Servers Servers List |
Specify the backup server configuration:
You can configure backup servers either on the client or on the primary security appliance. If you configure backup servers on the security appliance, it pushes the backup server policy to the clients in the group, replacing the backup server list on the client if one is configured. |
ASA Group Policies Client Firewall Attributes
Use the Client Firewall Attributes settings to configure the firewall settings for VPN clients for the ASA group policy for Easy VPN or remote access IPSec VPN. Only VPN clients running Microsoft Windows can use these firewall settings.
Client Firewall Attributes are not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Navigation Path
Select ASA Group Policies Dialog Box.
from the table of contents in theField Reference
Element |
Description |
||
---|---|---|---|
Firewall Mode |
The firewall requirements for client systems for the group:
|
||
Firewall Type |
The type of firewall that you are making required or optional. The list shows all of the supported firewall software, which includes software from Cisco, Network ICE, Sygate, and Zone Labs.
|
||
Policy Source |
Some types of firewall allow you to configure where the client firewall should obtain its policies:
You must enter the name of an extended access control list policy object or Unified ACL, or click Select to select one from a list or to create a new one, in both in the Inbound Traffic Policy and Outbound Traffic Policy fields. Unified ACLs are supported from ASA version 9.0. |
||
Custom Firewall |
The attributes that define the required or optional firewall if you select custom firewall as the firewall type:
|
ASA Group Policies Hardware Client Attributes
Use the Hardware Client Attributes settings to configure the VPN 3002 Hardware Client settings for the ASA group policy in an Easy VPN or remote access IPSec VPN.
Hardware Client Attributes are not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Navigation Path
Select ASA Group Policies Dialog Box.
from the table of contents in theField Reference
Element |
Description |
||
---|---|---|---|
Require Interactive Client Authentication |
Whether to enable secure unit authentication, which provides additional security by requiring VPN hardware clients to authenticate with a username and password each time that the client initiates a tunnel. The hardware client does not have a saved username and password.
|
||
Require Individual User Authentication |
Whether to require that individual users behind a hardware client authenticate to gain access to the network across the tunnel. Individual users authenticate according to the order of authentication servers that you configure. If you do not select this option, the security appliance allows inheritance of a value for user authentication from another group policy. |
||
Enable Cisco IP Phone Bypass |
Whether to allow IP phones behind hardware clients to connect without undergoing a user authentication processes. Secure unit authentication remains in effect for other users. |
||
Enable LEAP Bypass |
Whether to enable Lightweight Extensible Authentication Protocol (LEAP) packets from wireless devices behind a VPN hardware client to travel across a VPN tunnel prior to user authentication. This action lets workstations using Cisco wireless access point devices establish LEAP authentication and then authenticate again per user authentication.
|
||
Allow Network Extension Mode |
Whether to enable network extension mode for hardware clients. Network extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the hardware client to networks behind the security appliance. PAT does not apply. Devices behind the security appliance have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange. |
||
Idle Timeout Mode |
How to handle periods of inactivity from individual clients:
|
ASA Group Policies IPSec Settings
Use the IPsec settings to specify tunneling protocols, filters, connection settings, and servers for the ASA group policy for Easy VPN or remote access IPSec VPN. This creates security associations that govern authentication, encryption, encapsulation, and key management.
IPSec is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Navigation Path
Select ASA Group Policies Dialog Box.
from the table of contents in theField Reference
Element |
Description |
||
---|---|---|---|
Enable Re-Authentication on IKE Re-Key |
Whether the security appliance should prompt the user to enter a username and password during initial Phase 1 IKE negotiation and also prompt for user authentication whenever an IKE rekey occurs, providing additional security. Reauthentication fails if no user is at the other end of the connection. |
||
Enable IPsec Compression |
Whether to enable data compression, which speeds up transmission rates for remote dial-in users connecting with modems.
|
||
Enable Perfect Forward Secrecy (PFS) |
Whether to enable the use of Perfect Forward Secrecy (PFS) to generate and use a unique session key for each encrypted exchange. In IPsec negotiations, PFS ensures that each new cryptographic key is unrelated to any previous key. |
||
Tunnel Group Lock |
Tunnel group lock restricts users by checking if the group configured in the VPN client is the same as the tunnel group to which the user is assigned. If it is not, the security appliance prevents the user from connecting. If you do not specify a tunnel name, the security appliance authenticates users without regard to the assigned group. Group locking is disabled by default. |
||
Client Access Rules table |
The access rules for clients. These rules control which types of clients are denied access, if any. You can have up to 25 rules, and combined they are limited to 255 characters.
The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it.
|
Add or Edit Client Access Rules Dialog Box
Use the Client Access Rules dialog box to create or edit the priority, action, VPN client type and VPN client version for a client access rule.
Navigation Path
From ASA Group Policies IPSec Settings, click the Add Row button beneath the Client Access Rules table, or select a rule and click the Edit Row button.
Field Reference
Element |
Description |
---|---|
Priority |
The relative priority of the rule. The rule with the lowest integer has the highest priority. Therefore, the rule with the lowest integer that matches a client type or version is the rule that applies. If a lower priority rule contradicts, the security appliance ignores it. Values are 1-65535. |
Action |
Whether this rule permits or denies traffic access to the client. |
VPN Client Type VPN Client Version |
The type or version of VPN client to which this rule applies. Spaces are allowed. You can use * as a wildcard to match zero or more characters. You can use n/a for clients that do not send their type or version. The strings you enter in these fields must match the strings displayed using the show vpn-sessiondb remote command on the ASA device. Following are some examples, where priority, permit/deny, type, and version are shown in order:
|
ASA Group Policies SSL VPN Clientless Settings
Use the Clientless settings to configure the clientless mode of access to the corporate network in a remote access SSL VPN for the ASA group policy object.
When a user connects to the SSL VPN in clientless mode, the user logs into the SSL VPN portal page. From the portal page, the user can access all available HTTP sites, access web e-mail, and browse Common Internet File System (CIFS) file servers, depending on how you configure the portal.
Clientless is not supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Navigation Path
Select ASA Group Policies Dialog Box.
from the table of contents in theField Reference
Element |
Description |
---|---|
Portal Page Websites |
The name of the SSL VPN bookmarks policy object that includes the website URLs to display on the portal page. These websites help users access desired resources. Enter the name of the object or click Select to select it from a list or to create a new object. |
Allow Users to Enter Websites |
Whether to allow the remote user to enter website URLs directly into the browser. If you do not select this option, the user can access only those URLs included on the portal. |
Enable File Server Browsing |
Whether to allow the remote user to browse for file shares on the CIFS file servers. |
Enable File Server Entry |
Whether to allow the remote user to locate file shares on the CIFS file servers by entering the names of the file shares. |
Enable Hidden Shares |
Whether to make hidden CIFS shares visible, and thus accessible, to users. |
HTTP Proxy |
The type of access you want to allow to the external HTTP proxy server to which the security appliance forwards HTTP connections. You can enable access, disable access, or select Auto Start, which starts the proxy automatically upon user login. |
Filter ACL |
The name of the web type access control list policy object to use to restrict user access to the SSL VPN. Enter the name of the object or click Select to select it from a list or to create a new object. Beginning with version 4.10, you can enter IPv6 values for the web type ACL. |
Enable ActiveX Relay |
Whether to enable ActiveX relay, which allows users to start ActiveX programs from the portal page. This allows users to start Microsoft Office applications from the web browser and upload and download Office documents. |
UNIX Authentication Group ID |
The UNIX authentication group ID. |
UNIX Authentication User ID |
The UNIX authentication user ID. |
Smart Tunnel |
The name of the smart tunnel list policy object assigned to this group. Click Select to select it from a list or to create a new object. A smart tunnel is a connection between a Winsock 2, TCP-based application and a private site. The connection uses a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the security appliance as a proxy server. Thus, smart tunnels do not require users to have administrator privileges. For more information, see Configuring SSL VPN Smart Tunnels for ASA Devices. |
Auto Start Smart Tunnel |
Whether to start smart tunnel access automatically upon user login. If you do not select this option, the user must start the tunnel manually through the Application Access tools on the portal page. Auto sign-on supports only applications that use HTTP and HTTPS using the Microsoft WININET library on a Microsoft Windows operating system. For example, Microsoft Internet Explorer uses the WININET dynamic linked library to communicate with web servers. |
Smart Tunnel Network List |
Choose from the following options to select the list of hosts or network for which you want to use the smart tunnel. To enable the selection, you must first create the smart tunnel network list entries. For more information, see Add and Edit A Smart Tunnel Network List Entry Dialog Box. Note that this feature is supported on devices that are running ASA software version 8.3(1) and later.
|
Smart Tunnel Auto Signon Server List |
The name of the smart tunnel auto sign-on list policy object assigned to this group. Click Select to select it from a list or to create a new object. |
Domain Name(Optional) |
The Windows domain to add to the username during auto sign-on, if the universal naming convention (domain\username) is required for authentication. For example, enter CISCO to specify CISCO\qa_team when authenticating for the username qa_team. You must also check the Use Domain option when configuring associated entries in the auto sign-on server list. |
Port Forwarding List |
The name of the port forwarding list policy object assigned to this group. Port forwarding lists contain the set of applications that users of clientless SSL VPN sessions can access over forwarded TCP ports. Enter the name of the object or click Select to select it from a list or to create a new object. |
Auto Start Port Forwarding |
Whether to start port forwarding automatically upon user login. |
Port Forwarding Applet Name |
The application name or short description to display on the Port Forwarding Java applet screen on the portal, up to 64 characters. This is the name of the applet users will download to act as a TCP proxy on the client machine for the services configured on the SSL VPN gateway. |
VDI Servers List table |
The Citrix XenApp or XenDesktop servers that comprise the Virtual Desktop Infrastructure.
|
Add or Edit VDI Server Dialog Box
Use the VDI Server dialog box to create or edit a Citrix XenApp or XenDesktop Server entry.
In a Virtual Desktop Infrastructure (VDI) model, administrators publish enterprise applications or desktops pre-loaded with enterprise applications, and end users remotely access these applications. These virtualized resources appear just as any other resources, such as email, so that users do not need to go through a Citrix Access Gateway to access them. Users log onto the ASA using Citrix Receiver mobile client, and the ASA connects to a pre-defined Citrix XenApp or XenDesktop Server. The administrator must configure the Citrix server’s address and logon credentials under Group Policy so that when users connect to their Citrix Virtualized resource, they enter the ASA’s SSL VPN IP address and credentials instead of pointing to the Citrix Server’s address and credentials. When the ASA has verified the credentials, the receiver client starts to retrieve entitled applications through the ASA.
Supported Mobile Devices
-
iPad—Citrix Receiver version 4.x or later
-
iPhone/iTouch—Citrix Receiver version 4.x or later
-
Android 2.x/3.x/4.0/4.1 phone—Citrix Receiver version 2.x or later
-
Android 4.0 phone—Citrix Receiver version 2.x or later
Navigation Path
From ASA Group Policies SSL VPN Clientless Settings, click the Add Row button beneath the VDI Servers List table, or select a rule and click the Edit Row button.
Field Reference
Element |
Description |
---|---|
Hostname/IP Address (IPv4/IPv6) |
Address of the XenApp or XenDesktop server. This value can be a clientless macro. Beginning with version 4.12, Security Manager supports IPv6 addresses for ASA devices running the version 9.0 or later. For invalid IPv6 addresses, Security Manager throws up an error. |
Port Number (Optional) |
Port number for connecting to the Citrix server. This value can be a clientless macro. |
Domain |
Domain for logging into the virtualization infrastructure server. This value can be a clientless macro. |
Secure HTTP |
Check the checkbox if you want the server to connect using SSL. |
Username |
Username for logging into the virtualization infrastructure server. This value can be a clientless macro. The macros available for username are:
These macros take the following three parameters:
|
Password |
Password for logging into the virtualization infrastructure server. This value can be a clientless macro. The macros available for password are:
These macros take the following three parameters:
|
ASA Group Policies SSL VPN Full Client Settings
Use the Full Client settings to configure the full client mode of access to the corporate network in a remote access SSL VPN for the ASA group policy object.
Full client mode enables access to the corporate network completely over an SSL VPN tunnel. In full client access mode, the tunnel connection is determined by the group policy configuration. The full client software, SSL VPN Client (SVC) or AnyConnect, is downloaded to the remote client, so that a tunnel connection is established when the remote user logs in to the SSL VPN gateway.
Tip |
To enable full client access, you must configure the policy on the device to identify AnyConnect image packages to install on the device. The images must be on the device so that users can download them. For more information, see Understanding SSL VPN AnyConnect Client Settings and Add and Edit File Object Dialog Boxes. |
The following policies are supported for ASA 9.5(2) Remote Access VPN in Multi-context mode:
-
Security Group Tag
-
Periodic Certificate Verification
-
Client Dead Peer Detection Timeout
-
Gateway Dead Peer Detection Timeout
-
Datalayer Transport layer Security Compression
-
Keep AnyConnect Client on Client System
-
Ignore Routing and Filter Rules
-
AnyConnect Modules
-
AnyConnect MTU
-
AnyConnect Firewall-Client Public ACL
-
AnyConnect Firewall-Client Private ACL
-
Enable Datagram Transport Layer Security
Navigation Path
Select ASA Group Policies Dialog Box.
from the table of contents in theField Reference
Element |
Description |
||
---|---|---|---|
Enable Full Client |
Whether to enable full client mode. |
||
Mode |
The mode in which to operate the SSL VPN:
|
||
Keep AnyConnect Client on Client System |
Whether to leave the AnyConnect client installed on the client system after the client disconnects. If you do not leave the client installed, it must be download each time the user connects to the gateway. |
||
Enable Keepalive Messages |
Whether to exchange keepalive messages between peers to demonstrate that they are available to send and receive data in the tunnel. Keepalive messages transmit at set intervals, and any disruption in that interval results in the creation of a new tunnel using a backup device. If you select this option, enter the time interval (in seconds) that the remote client waits between sending IKE keepalive packets in the Interval field. |
||
SSL Compression |
Whether to enable data compression, and if so, the method of data compression to use: None, Deflate, or LZS. Data compression speeds up transmission rates for remote dial-in users connecting with modems.
|
||
Client Dead Peer Detection Timeout (sec) |
The time interval, in seconds, that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the remote user. DPD is used to send keepalive messages between peer devices only when no incoming traffic is received and outbound traffic needs to be sent. |
||
Gateway Dead Peer Detection Timeout (sec) |
The time interval, in seconds, that the Dead Peer Detection (DPD) timer is reset each time a packet is received over the SSL VPN tunnel from the gateway. |
||
Key Renegotiation Method |
The method by which the tunnel key is refreshed for the remote user group client:
Enter the time interval (in minutes) between the tunnel refresh cycles in the Interval field. |
||
Enable Datagram Transport Layer Security |
Whether to enable Datagram Transport Layer Security (DTLS) connections for the group. Enabling DTLS allows the AnyConnect client establishing an SSL VPN connection to use two simultaneous tunnels, an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. |
||
Datagram Transport Layer Security Compression |
Whether to compress Datagram Transport Layer Security (DTLS) connections for the group, and if so, the method of data compression to use: None, Default, or LZS. |
||
Ignore Don’t Fragment (DF) bit |
Whether to ignore the DF bit in packets that need fragmentation. This feature allows the force fragmentation of packets that have the DF bit set, allowing them to pass through the tunnel. An example use case is for servers in your network that do not respond correctly to TCP MSS negotiations. |
||
AnyConnect Module |
The modules that the AnyConnect client needs to enable optional features. Click Select to select the applicable modules from the Add AnyConnect Module dialog box.
|
||
AnyConnect MTU |
The maximum transmission unit (MTU) size for SSL VPN connections established by the Cisco AnyConnect VPN Client. |
||
AnyConnect Always-On VPN |
Always-On VPN enables AnyConnnect to automatically establish a VPN session after you log onto the system. Note that until you log off from the system, the VPN session will remain open. Select one of these options:
|
||
AnyConnect Profile Name |
The name of the AnyConnect profile to use for the group. You can enter multiple profile names each separated by a comma. You must configure this name and relate it to a profile in the Remote Access VPN > SSL VPN > Other Settings policy.
|
||
Prompt User to Choose Client Time User Has to Choose Default Location |
Whether to ask the user to download the client. Enter the number of seconds the user has to make a selection in the Time User Has to Choose field. The default is 120 seconds. If you do not select this option, the user is immediately taken to the default location. The user is also taken to the default location after the time to choose expires.
|
||
Security Group Tag |
ASA Version 9.3(1)+ supports security group tagging of VPN sessions. A Security Group Tag (SGT) can be assigned to a VPN session using an external AAA server, or by configuration of the local user database. This tag can then be propagated through the Cisco TrustSec system over Layer 2 Ethernet. Security group tags are useful on group policies and for local users when the AAA server cannot provide an SGT. When the Default check box is selected, no Security Group Tag is assigned. To specify a Security Group Tag, clear the Default check box and then enter the numerical value of the SGT tag that will be assigned to VPN users connecting with this group policy in the Security Group Tag field. Valid values are from 2 to 65519. |
||
Periodic Certificate Verification |
Whether to enable periodic validation and revocation checking of the client certificates in VPN sessions. If you select this option, enter the interval of time, in hours, between 1 to 168. This feature is supported only in devices running ASA software version 9.4(1) or later. Periodic certificate verification is disabled by default. |
||
AnyConnect Firewall-Client Public ACL |
The name of the Extended or Unified access control list or policy object to use to restrict user access to the SSL VPN. Public rules are applied to all interfaces on the client. Enter the name of the object or click Select to select it from a list or to create a new object. Unified ACLs are supported from ASA version 9.0. The default is Extended. If the device version is later than ASA 9.0, all the Anyconnect values are discovered as Unified ACL and deployed during deployment. |
||
AnyConnect Firewall-Client Private ACL |
The name of the Extended or Unified access control list policy object to use to restrict user access to the SSL VPN. Private rules are applied to the Virtual Adapter. Enter the name of the object or click Select to select it from a list or to create a new object. Unified ACLs are supported from ASA version 9.0. The default is Extended. If the device version is later than ASA 9.0, all the Anyconnect values are discovered as Unified ACL and deployed during deployment. |
||
AnyConnect Custom Attributes table |
The AnyConnect Custom Attribute table lists the custom attributes, names, and the corresponding values that are assigned to this group policy. AnyConnect custom attributes that are defined on the AnyConnect Custom Attribute tab of the SSL VPN Other Settings page are listed here (see Configuring AnyConnect Custom Attributes (ASA)). Beginning with version 4.7, Security Manager enables to add a Custom Attribute Data to an existing Custom Attribute Type. You can add or remove the custom attributes for a group policy, and configure values for each attribute.
For more details, see Add/Edit AnyConnect Custom Attribute Dialog Box. |
ASA Group Policies SSL VPN Settings
Use the SSL VPN Settings to configure attributes that are required for clientless and port forwarding (thin client) access modes to work, including auto signon rules for user access to servers. Auto Signon configures the security appliance to automatically pass SSL VPN user login credentials (username and password) on to internal servers. You can configure multiple auto signon rules.
The Homepage URL policy is supported for the SSL tab in ASA 9.5(2) Remote Access VPN in Multi-context mode.
Navigation Path
Select ASA Group Policies Dialog Box.
from the table of contents in theField Reference
Element |
Description |
---|---|
Home Page |
The URL of the SSL VPN home page. The URL is free text. The page is displayed when users log into the VPN. If you do not enter a URL, no home page is displayed. Beginning with version 4.12, Security Manager supports IPv6 address in the Home Page URL for ASA devices running the software version 9.0 or later. The format for the Home Page URL for IPv6 address is: http://[IPv6 address]/appname.The Home page URL should be prefixed with http:// (or) https:// |
Authentication Failure Message |
The message to deliver to a remote user who successfully logs into the VPN but has no VPN privileges, and so can do nothing. The default message is: “Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.” |
Minimum Keepalive Object Size (kilobytes) |
The minimum size (in kilobytes) of an IKE keepalive packet that can be stored in the cache on the security appliance. |
Single Sign On Server |
The name of the single sign on (SSO) server policy object that identifies the server to use for this group, if any. An SSO server allows users to enter their username and password once and be able to access other server in the network without logging into each of them. If configure an SSO server, also configure the auto signon rules table. Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Add or Edit Single Sign On Server Dialog Boxes. |
Enable HTTP Compression |
Whether to allow an HTTP compressed object to be cached on the security appliance. |
Auto Signon Rules table |
If you configure a single sign on server, the auto signon rules table contains the rules that determine which internal servers are provided the user’s credentials. Thus, you can provide single sign on for some servers in your network but not others. Each rule is an allow rule, and indicates the IP address, subnet, or Universal Resource Identifier (URI) that identifies the server, and the type of authentication that will be sent to the server when the user tries to access it (either basic HTML, NTLM, FTP, or all of these). The rules are processed in order, top to bottom, and the first match is applied. Therefore, be sure to order the rules correctly using the up and down arrow buttons. If the user accesses a server that is not identified in one of these rules, the user must log into the server to gain access.
|
Portal Page Customization |
The name of the SSL VPN customization policy object that defines the appearance of the portal web page. The portal page allows the remote user access to all the resources available on the SSL VPN network. If you do not specify an object, the default page appearance is used. Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring ASA Portal Appearance Using SSL VPN Customization Objects. |
User Storage Location |
The location where personalized user information is stored between clientless SSL VPN sessions. If you do not specify a location, information is not stored between sessions. Stored information is encrypted. Enter a file system designation in the following format: protocol://username:password@host:port/path Where protocol is the protocol of the server, username and password are a valid user account on the server, and host is the name of the server. Also indicate the port number (if you do not use the default for the protocol) and directory path of the location on the server to use. For example: cifs://newuser:12345678@anyfiler02a/new_share |
Storage Key Confirm |
The storage key used to protect data stored between sessions. Spaces are not supported. |
Post Max Size |
The maximum size allowed for a posted object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent posting. |
Upload Max Size |
The maximum size allowed for a uploaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent uploading. |
Download Max Size |
The maximum size allowed for a downloaded object. The range is 0 through 2147483647 (which is the default). Specify 0 to prevent downloads. |
Add or Edit Auto Signon Rules Dialog Box
Use the Add or Edit Auto Signon Rules dialog box to configure the Auto Signon rules that the security appliance uses to pass SSL VPN user login credentials on to an internal server.
Navigation Path
Open the ASA Group Policies SSL VPN Settings, then click Create, or select an item in the table and click Edit.
Field Reference
Element |
Description |
||
---|---|---|---|
Allow IP |
Select this option to configure an IPv4 or IPv6 address or subnet for the rule. Any server within this subnet is supplied the specified login credentials. Beginning with version 4.12, Security Manager supports IPv6 addresses for devices running ASA 9.0 or later.
If you want the appliance to send credentials to any internal server the user tries to access, create rules for all of your internal networks. You might be able to do this with a single rule. |
||
Allow URI |
Select this option to configure a Universal Resource Identifier (URI) for the rule. This identifies the internal server based on URI rather than IP address. For example, https://*.example.com/* creates a rule for all web pages on any server in the example.com domain. Use the asterisk as a wildcard to apply to zero or more characters. |
||
Login Credentials |
Beginning with Security Manager version 4.7, you can select the login username and password from the available variables or macros.
The macros available for username are:
These macros take the following three parameters:
The macros available for password are:
|
||
Authentication Type |
The type of credentials that the security appliance will pass on to the servers covered by this rule: Basic HTML, NTLM (NT LAN Manager) authentication, FTP, or all of these methods. The default option is All. Use the default unless you want to limit logins to a certain type. |
ASA Group Policies Browser Proxy Settings
Use the Browser Proxy settings to configure the attributes for the browser.
Browser Proxy is supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Navigation Path
Select Browser Proxy from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
Element |
Description |
---|---|
Proxy Server Policy |
Select one of the following:
|
Select Proxy Method |
Select one or more of the following:
|
Proxy Server Setting |
Enter the following:
|
Proxy Auto Configuration (PAC) URL |
Specify the URL of the auto-configuration file. This file tells the browser where to look for proxy information. |
Policy Lockdown |
Select Enable to hide the Connections tab in the browser for the duration of an AnyConnect VPN session. Select Disable to leave the display of the Connections tab unchanged. Select None if you do not want to use this option. The default selected option is None. |
ASA Group Policies DNS/WINS Settings
Use the DNS/WINS settings to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the ASA group policy. These settings apply to Easy VPN and remote access IPSec and SSL VPN configurations.
DNS/WINS is supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Navigation Path
Select DNS/WINS from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
Element |
Description |
---|---|
Primary IPv4 DNS Server |
The IPv4 address of the primary DNS server for the group. Enter the IPv4 address or the name of a network/host object, or click Select to select an object from a list or to create a new object. Primary IPv4 DNS Server address is mandatory to be able to configure Secondary IPv4 DNS Server. |
Secondary IPv4 DNS Server |
The IPv4 address of the secondary DNS server for the group. Enter the IPv4 address or the name of a network/host object, or click Select to select an object from a list or to create a new object. |
Primary IPv6 DNS Server |
The IPv6 address of the primary DNS server for the group. Enter the IPv6 address or the name of a network/host object, or click Select to select an object from a list or to create a new object. Beginning with version 4.12, Security Manager supports IPv6 addresses for ASA devices 9.0 or later. Primary IPv6 DNS Server address is mandatory to be able to configure Secondary IPv6 DNS Server. |
Secondary IPv6 DNS Server |
The IPv6 address of the secondary DNS server for the group. Enter the IPv6 address or the name of a network/host object, or click Select to select an object from a list or to create a new object. Beginning with version 4.12, Security Manager supports IPv6 addresses for ASA devices 9.0 or later. |
Primary WINS Server |
The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object. |
Secondary WINS Server |
The IP address of the primary WINS server for the group. Enter the IP address or the name of a network/host object, or click Select to select an object from a list or to create a new object. |
DHCP Network Scope |
The scope of the DHCP network for the group. Enter the IP network address or the name of a network/host object, or click Select to select an object from a list or to create a new object. |
Default Domain |
The default domain name for the group. The default, blank, is none. |
ASA Group Policies Split Tunneling Settings
Use the Split Tunneling settings to configure a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. These settings apply to Easy VPN and remote access IPSec and SSL VPN configurations.
Split tunneling lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not bound for destinations on the other side of the tunnel do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination. The split tunneling policy is applied to specific networks.
Split Tunneling is supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Tip |
For optimum security, we recommend that you not enable split tunneling. |
Navigation Path
Select Split Tunneling from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
Element |
Description |
---|---|
DNS Names |
A list of domain names to be resolved through the split tunnel. All other names are resolved using the public DNS server. If you do not enter a list, the list is inherited from the default group policy. Separate multiple entries with spaces or commas. The entire string can be a maximum of 255 characters. |
Send all DNS traffic through the tunnel |
Whether the AnyConnect client should resolve all DNS addresses through the VPN tunnel (SSL or IPsec/IKEv2). If DNS resolution through the tunnel fails, the address remains unresolved and the AnyConnect client does not try to resolve the address through public DNS servers. If you do not select this option, the client sends DNS queries over the tunnel according to the split tunnel policy specified by the Tunnel Option setting. |
Tunnel Option |
The policy you want to enable for split tunneling:
|
IPv6 Tunnel Option |
Beginning with version 4.10, Security Manager provides support for IPv6 traffic for Split Tunneling from ASA version 9.0. The policy you want to enable for split tunneling:
|
Networks |
The name of a standard, extended, or unified access control list policy object that identifies the networks that require traffic to travel across the tunnel and those that do not require tunneling. Unified ACLs are supported from ASA version 9.0. How permit and deny are interpreted depends on your selection for Tunnel Option. Enter the name of the object, or click Select to select it from a list or to create a new object. If you do not specify an ACL, the network list is inherited from the default group policy. |
ASA Group Policies Connection Settings
Use the Connection Settings to configure the connection characteristics for the ASA group policy, including access control and session timeouts. These settings are used for Easy VPN and remote access IPsec or SSL VPN sessions.
Connection Settings is supported for ASA 9.5(2) Remote Access VPN in Multi-context mode.
Navigation Path
Select Connection Settings from the table of contents in the ASA Group Policies Dialog Box.
Field Reference
Element |
Description |
---|---|
Filter ACL |
The name of the extended access control list (ACL) policy object to use for filtering traffic on the VPN connection. The ACL determines which traffic is permitted or denied. Enter the name of the object or click Select to select it from a list or to create a new object. Beginning with version 4.10 and ASA version 9.0, you can select from a list of Standard, Extended, or Unified ACL objects. This ACL does not apply to clientless SSL VPN connections. |
Banner Text |
The banner, or welcome text, to display on remote clients when they connect to the VPN.
|
IPv4 Address Pools |
Specifies the name of one or more IPv4 address pools to use for this group policy. Enter the names of the IPv4 address pool objects separated by a comma or click Select to select the objects from a list or to create a new objects. |
IPv6 Address Pools |
Specifies the name of one or more IPv6 address pools to use for this group policy. Enter the names of the IPv6 address pool objects separated by a comma or click Select to select the objects from a list or to create a new objects. Beginning with version 4.12, Security Manager supports IPv6 address pools for ASA devices 9.0 or later. |
Access hours |
The name of a time range policy object that specifies the times that users are allowed to access the VPN. If you do not specify a time range, users can access the VPN at all times. Specify a time range if you want to limit access to the network to certain hours, such as the typical work days and work hours for your organization. Enter the name of the object or click Select to select it from a list or to create a new object. For more information, see Configuring Time Range Objects. |
Max Simultaneous Logins |
The number of simultaneous logins a single user is allowed. Values are 0-2147483647. The default is 3. Specify 0 to disable logins and prevent user access. |
Max Connection Time |
The maximum amount of time a user is allowed to be connected to the VPN. Select one of the following:
|
Idle Timeout |
The amount of time a user is allowed to be connected to the VPN while the connection is idle, that is, there is no communication activity. Select one of the following:
|
VLAN Mapping VLAN ID |
The VLAN ID value can be between 1 and 4094 and must correspond to a VLAN interface on the ASA. The VLAN mapping feature on the ASA allows for traffic from VPN connections to be directed to a specified VLAN interface. Beginning with Cisco Security Manager version 4.10 and ASA version 9.5(1), you can assign IPv6 addresses to remote users. Beginning with Cisco Security Manager version 4.17, you can configure VLAN on ASA 9.9(2) or later multi-context devices. |