Filter
Top Products
30-22
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Configuring Group Policies for Remote Access VPNs
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.
Each row in the table represents an ASA group policy object, displaying the name of the policy object
assigned to the remote access VPN connection profile, whether it is stored on the ASA device itself
(Internal) or on a AAA server (External), and whether the group is for IKEv1 (IPsec), IKEv2 (IPsec),
SSL, or all types of VPN. For external groups, the protocol is unknown and listed as N/A.
• To add an ASA group policy object, click the Add Row button. This opens an object selector, from
which you can select an existing policy object or click the Create button to create a new object. For
more information about creating group policies, see Creating Group Policies (ASA, PIX 7.0+),
page 30-23.
Note You cannot create more than one group policy that includes DfltGrpPolicy in its name.
DfltGrpPolicy is the default policy defined on the device; if Security Manager discovers the
group during remote access policy discovery, the group appears in the list under the name
<device_display_name>DfltGrpPolicy. When you deploy the configuration to the device,
the display name prefix is removed so that DfltGrpPolicy is updated correctly. For more
information, see Discovering Remote Access VPN Policies, page 29-12.
• To edit an object, select it and click the Edit Row button to open the ASA Group Policies Dialog
Box, page 33-1.
• To delete an object from the policy, select it and click the Delete Row button. The associated policy
objects are not deleted, they are only removed from this policy.
Note You cannot delete the default group policy.
Navigation Path
• (Device view) Select an ASA device, then select Remote Access VPN > Group Policies from the
Policy selector.
• (Policy view) Select Remote Access VPN > Group Policies (ASA) from the Policy selector. Select
an existing policy or create a new one.
Understanding Group Policies (ASA)
When you configure a remote access IPSec or SSL VPN connection, you must create user groups to
which remote clients will belong. A user group policy is a set of user-oriented attribute/value pairs for
remote access VPN connections that are stored either internally (locally) on the device or externally on
an AAA server. The connection profile uses a user group policy that sets terms for user connections after
the connection is established. Group policies let you apply whole sets of attributes to a user or a group
of users, rather than having to specify each attribute individually for each user.
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.
An ASA user group comprises the following attributes: