Cisco ASA 5505 User Manual
Page 1470
67-44
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 67 Configuring Connection Profiles, Group Policies, and Users
Group Policies
The following example shows how to set the
vpn-session-timeout alert-interval
so that users will
be notified 20 minutes before their VPN session is disconnected. You can specify a range of 1-30
minutes.
hostname(config-webvpn)# vpn-session-timeout alert-interval
20
The
none
parameter of the command indicates that users will not receive an alert.
The
no
form of the command: no vpn-session-timeout alert-interval
indicates that the VPN session timeout alert-interval attribute will be inherited from the Default Group
Policy.
Step 7
Choose one of the following options to specify an egress VLAN (also called “VLAN mapping”) for
remote access or specify an ACL to filter the traffic:
•
Enter the following command in group-policy configuration mode to specify the egress VLAN for
remote access VPN sessions assigned to this group policy or to a group policy that inherits this group
policy:
hostname(config-group-policy)#
[
no
]
vlan
{vlan_id |
none
}
no vlan
removes the vlan_id from the group policy. The group policy inherits the vlan value from
the default group policy.
vlan none
removes the vlan_id from the group policy and disables VLAN mapping for this group
policy. The group policy does not inherit the vlan value from the default group policy.
vlan_id in the command
vlan
vlan_id is the number of the VLAN, in decimal format, to assign to
remote access VPN sessions that use this group policy. The VLAN must be configured on this ASA
per the instructions in the
“Configuring VLAN Subinterfaces and 802.1Q Trunking” section on
none disables the assignment of a VLAN to the remote access VPN sessions that match this group
policy.
Note
The egress VLAN feature works for HTTP connections, but not for FTP and CIFS.
•
Specify the name of the ACL to apply to VPN session, using the vpn-filter command in group policy
mode. (You can also configure this attribute in username mode, in which case the value configured
under username supersedes the group-policy value.)
hostname(config-group-policy)# vpn-filter {value ACL name
| none}
hostname(config-group-policy)#
You configure ACLs to permit or deny various types of traffic for this group policy. You then enter
the vpn-filter command to apply those ACLs.
To remove the ACL, including a null value created by entering the vpn-filter none command, enter
the no form of this command. The no option allows inheritance of a value from another group policy.
A group policy can inherit this value from another group policy. To prevent inheriting a value, enter
the none keyword instead of specifying an ACL name. The none keyword indicates that there is no
access list and sets a null value, thereby disallowing an access list.
The following example shows how to set a filter that invokes an access list named acl_vpn for the
group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-filter acl_vpn
hostname(config-group-policy)#