Filter
Top Products
35-11
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
Group Policies
Adding or Editing a Site-to-Site Internal Group Policy
The Add or Edit Group Policy window lets you specify tunneling protocols, filters, connection settings,
and servers for the group policy being added or modified. For each of the fields on this window, checking
the Inherit check box lets the corresponding setting take its value from the default group policy. Inherit
is the default value for all of the attributes on this dialog box.
Fields
The following attributes appear in the Add Internal Group Policy > General window. They apply to SSL
VPN and IPSec sessions, or clientless SSL VPN sessions. Thus, several are present for one type of
session, but not the other.
• Name—Specifies the name of this group policy. For the Edit function, this field is read-only.
• Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only
the selected protocols. The choices are as follows:
–
Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to
establish a secure remote-access tunnel to a security appliance; requires neither a software nor
hardware client. Clientless SSL VPN can provide easy access to a broad range of enterprise
resources, including corporate websites, web-enabled applications, NT/AD file share
(web-enabled), e-mail, and other TCP-based applications from almost any computer that can
reach HTTPS Internet sites.
–
SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL
VPN client.
–
IPSec—IP Security Protocol. Regarded as the most secure protocol, IPSec provides the most
complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and
client-to-LAN connections can use IPSec.
–
L2TP/IPSec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPSec transport mode.
Note If you do not select a protocol, an error message appears.
• Filter—(Network (Client) Access only) Specifies which access control list to use, or whether to
inherit the value from the group policy. Filters consist of rules that determine whether to allow or
reject tunneled data packets coming through the security appliance, based on criteria such as source
address, destination address, and protocol. To configure filters and rules, see the Group Policy
window.
• Manage—Displays the ACL Manager window, with which you can add, edit, and delete Access
Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the
ACL Manager, see the online Help for that window.
Browse Time Range
Use the Browse Time Range dialog box to add, edit, or delete a time range. A time range is a reusable
component that defines starting and ending times that can be applied to a group policy. After defining a
time range, you can select the time range and apply it to different options that require scheduling. For