Cisco ASA 5505 User Manual
Page 1434
67-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 67 Configuring Connection Profiles, Group Policies, and Users
Configuring Connection Profiles
–
Cisco ASA5500 Easy VPN hardware client (connecting with IPsec/IKEv1)
–
Cisco VPM 3002 hardware client (connecting with IPsec/IKEv1)
We also provide a default group policy named DfltGrpPolicy.
To configure an remote-access connection profile, first configure the tunnel-group general attributes,
then the remote-access attributes. See the following sections:
•
Specifying a Name and Type for the Remote Access Connection Profile, page 67-8
•
Configuring Remote-Access Connection Profile General Attributes, page 67-8
.
•
Configuring Double Authentication, page 67-12
•
Configuring Remote-Access Connection Profile IPsec IKEv1 Attributes, page 67-13
.
•
Configuring IPsec Remote-Access Connection Profile PPP Attributes, page 67-15
Specifying a Name and Type for the Remote Access Connection Profile
Create the connection profile, specifying its name and type, by entering the tunnel-group command. For
an remote-access tunnel, the type is remote-access:
hostname(config)# tunnel-group tunnel_group_name type remote-access
hostname(config)#
For example, to create an remote-access connection profile named TunnelGroup1, enter the following
command:
hostname(config)# tunnel-group TunnelGroup1 type remote-access
hostname(config)#
Configuring Remote-Access Connection Profile General Attributes
To configure or change the connection profile general attributes, specify the parameters in the following
steps.
Step 1
To configure the general attributes, enter the tunnel-group general-attributes command, which enters
tunnel-group general-attributes configuration mode. The prompt changes to indicate the change in mode.
hostname(config)# tunnel-group tunnel_group_name general-attributes
hostname(config-tunnel-general)#
Step 2
Specify the name of the authentication-server group, if any, to use. If you want to use the LOCAL
database for authentication if the specified server group fails, append the keyword LOCAL:
hostname(config-tunnel-general)# authentication-server-group [(interface_name)] groupname
[LOCAL]
hostname(config-tunnel-general)#
The name of the authentication server group can be up to 16 characters long.
You can optionally configure interface-specific authentication by including the name of an interface after
the group name. The interface name, which specifies where the tunnel terminates, must be enclosed in
parentheses. The following command configures interface-specific authentication for the interface
named test using the server named servergroup1 for authentication:
hostname(config-tunnel-general)# authentication-server-group (test) servergroup1
hostname(config-tunnel-general)#