69-7
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 69 General VPN Setup
Group Policies
Fields
The following attributes appear in the Add Internal Group Policy > General dialog box. They apply to
SSL VPN and IPsec sessions, or clientless SSL VPN sessions. Thus, several are present for one type of
session, but not the other.
• Name—Specifies the name of this group policy up to 64 characters; spaces are allowed. For the Edit
function, this field is read-only.
• Banner—Specifies the banner text to present to users at login. The length can be up to 491
characters. There is no default value.
The IPsec VPN client supports full HTML for the banner. However, the clientless portal and the
AnyConnect client support partial HTML. To ensure the banner displays properly to remote users,
follow these guidelines:
–
For IPsec client users, use the /n tag.
–
For AnyConnect client users, use the <BR> tag.
–
For clientless users, use the <BR> tag.
• Address Pools—(Network (Client) Access only) Specifies the name of one or more address pools to
use for this group policy.
• Select—(Network (Client) Access only) Opens the Select Address Pools dialog box, which shows
the pool name, starting and ending addresses, and subnet mask of address pools available for client
address assignment and lets you select, add, edit, delete, and assign entries from that list.
• IPv6 Address Pools—Specifies the name of one or more IPv6 address pools to use for this group
policy. The Select button following this field opens the Select Address Pools dialog box, as
previously described.
• More Options—Displays additional configurable options for this group policy.
• Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only
the selected protocols. The choices are as follows:
–
Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to
establish a secure remote-access tunnel to an ASA; requires neither a software nor hardware
client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources,
including corporate websites, web-enabled applications, NT/AD file share (web-enabled),
e-mail, and other TCP-based applications from almost any computer that can reach HTTPS
Internet sites.
–
SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL
VPN client. If you are using the AnyConnect client, you must choose this protocol for MUS to
be supported.
–
IPsec IKEv1—IP Security Protocol. Regarded as the most secure protocol, IPsec provides the
most complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and
Cisco VPN client-to-LAN connections can use IPsec IKEv1.
–
IPsec IKEv2—Supported by the AnyConnect Secure Mobility Client. AnyConnect connections
using IPsec with IKEv2 provide advanced features such as software updates, client profiles,
GUI localization (translation) and customization, Cisco Secure Desktop, and SCEP proxy.
–
L2TP over IPsec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPsec transport mode.