Configuring backup server attributes – Cisco ASA 5505 User Manual
Page 1482
 
67-56
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 67 Configuring Connection Profiles, Group Policies, and Users
Group Policies
have direct access to devices on the private network behind the hardware client over the tunnel, and only 
over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, 
either side can initiate data exchange.
Enable network extension mode for hardware clients by entering the nem command with the enable 
keyword in group-policy configuration mode:
hostname(config-group-policy)# nem {enable | disable}
hostname(config-group-policy)# no nem
To disable NEM, enter the disable keyword. To remove the NEM attribute from the running 
configuration, enter the no form of this command. This option allows inheritance of a value from another 
group policy.
The following example shows how to set NEM for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# nem enable
Configuring Backup Server Attributes
Configure backup servers if you plan on using them. IPsec backup servers let a VPN client connect to 
the central site when the primary ASA is unavailable.When you configure backup servers, the ASA 
pushes the server list to the client as the IPsec tunnel is established. Backup servers do not exist until 
you configure them, either on the client or on the primary ASA.
Configure backup servers either on the client or on the primary ASA. If you configure backup servers 
on the ASA, it pushes the backup server policy to the clients in the group, replacing the backup server 
list on the client if one is configured.
Note
If you are using hostnames, it is wise to have backup DNS and WINS servers on a separate network from 
that of the primary DNS and WINS servers. Otherwise, if clients behind a hardware client obtain DNS 
and WINS information from the hardware client via DHCP, and the connection to the primary server is 
lost, and the backup servers have different DNS and WINS information, clients cannot be updated until 
the DHCP lease expires. In addition, if you use hostnames and the DNS server is unavailable, significant 
delays can occur.
To configure backup servers, enter the backup-servers command in group-policy configuration mode:
hostname(config-group-policy)# backup-servers {server1 server2... server10 |
clear-client-config
| keep-client-config}
To remove a backup server, enter the no form of this command with the backup server specified. To 
remove the backup-servers attribute from the running configuration and enable inheritance of a value for 
backup-servers from another group policy, enter the no form of this command without arguments.
hostname(config-group-policy)# no backup-servers [server1 server2... server10 |
clear-client-config
| keep-client-config]
The clear-client-config keyword specifies that the client uses no backup servers. The ASA pushes a null 
server list.
The keep-client-config keyword specifies that the ASA sends no backup server information to the client. 
The client uses its own backup server list, if configured. This is the default.
The server1 server 2.... server10 parameter list is a space-delimited, priority-ordered list of servers for 
the VPN client to use when the primary ASA is unavailable. This list identifies servers by IP address or 
hostname. The list can be 500 characters long, and it can contain up to10 entries.