Filter
Top Products
30-24
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Configuring Group Policies for Remote Access VPNs
Step 1 Do one of the following:
• (Device view) With an ASA or PIX 7.0+ device selected, select Remote Access VPN > Group
Policies from the Policy selector.
• (Policy view) Select Remote Access VPN > Group Policies (ASA) from the Policy Type selector.
Select an existing policy or create a new one.
The Group Policies page opens. The table lists the existing group policies, whether they are defined
internally on the device or externally on a AAA server, and the protocol for the group: IKEv1 (IPsec),
IKEv2 (IPsec), or SSL.
Step 2 Click Add Row (+) to open a dialog box from which you can select a user group from a list of predefined
ASA user group objects, or create new ones if necessary. To create a new group, click the Create (+)
button in the dialog box.
Step 3 Select the required ASA user group from the list and click OK. If the required group already exists, you
are finished.
If the required ASA user group does not exist, create it by clicking Create (+). The Add ASA User Group
dialog box appears, displaying a list of settings that you can configure for the ASA user group object.
For a description of the elements on this dialog box, see ASA Group Policies Dialog Box, page 33-1.
Step 4 Enter a name for the object and optionally a description of the object.
Step 5 Select whether to store the ASA user group’s attributes and values locally on the device, or on an external
server.
Note If you selected to store the ASA user group’s attributes on an external server, you do not need to
configure any Technology settings. After you specify the AAA server group that will be used for
authentication and a password to the AAA server, click OK and then select the group in the
object selector and click OK to add it to the policy.
Step 6 If you selected to store the ASA user group’s attributes locally on the device, select the type of VPN for
which you are creating the ASA user group from the Technology list:
• Easy VPN/IPSec IKEv1—For remote access IPsec VPNs that use IKE version 1 negotiations.
• Easy VPN/IPSec IKEv2—(ASA only.) For remote access IPsec VPNs that use IKE version 2
negotiations.
• SSL Clientless—(ASA only.) For SSL VPNs, all access modes (not just clientless).
Step 7 To configure the user group for Easy VPN/IPSec IKEv1 and Easy VPN/IPSec IKEv2, from the Easy
VPN/IPSec VPN folder in the Settings pane:
a. Select Client Configuration to configure the Cisco client parameters. For a description of these
settings, see ASA Group Policies Client Configuration Settings, page 33-4.
b. Select Client Firewall Attributes to configure the firewall settings for VPN clients. For a
description of these settings, see ASA Group Policies Client Firewall Attributes, page 33-5.
c. Select Hardware Client Attributes to configure the VPN 3002 Hardware Client settings. For a
description of these settings, see ASA Group Policies Hardware Client Attributes, page 33-7.
d. Select IPsec to specify tunneling protocols, filters, connection settings, and servers. For a
description of these settings, see ASA Group Policies IPSec Settings, page 33-8.