Cisco ASA 5505 User Manual

67-76

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 67 Configuring Connection Profiles, Group Policies, and Users

Supporting a Zone Labs Integrity Server

The listname string following the keyword value identifies the list of applications users of clientless SSL
VPN sessions can access. Enter the port-forward command in webvpn configuration mode to define the
list.

Using the command a second time overrides the previous setting.

The following example shows how to set a port-forwarding list called ports1 for the internal group policy
named FirstGroup:

hostname(config)# group-policy FirstGroup internal attributes

hostname(config-group-policy)# webvpn

hostname(config-group-webvpn)# port-forward value ports1

hostname(config-group-webvpn)#

Configuring the Port-Forwarding Display Name

Configure the display name that identifies TCP port forwarding to end users for a particular user or group
policy by using the port-forward-name command in group-policy webvpn configuration mode. To
delete the display name, including a null value created by using the port-forward-name none command,
enter the no form of the command. The no option restores the default name, Application Access. To
prevent a display name, enter the port-forward none command. The syntax of the command is as
follows:

hostname(config-group-webvpn)# port-forward-name {value

name

| none

}

hostname(config-group-webvpn)# no port-forward-name

The following example shows how to set the name, Remote Access TCP Applications, for the internal
group policy named FirstGroup:

hostname(config)# group-policy FirstGroup internal attributes

hostname(config-group-policy)# webvpn

hostname(config-group-webvpn)# port-forward-name value Remote Access TCP Applications

hostname(config-group-webvpn)#

Configuring the Maximum Object Size to Ignore for Updating the Session Timer

Network devices exchange short keepalive messages to ensure that the virtual circuit between them is
still active. The length of these messages can vary. The keep-alive-ignore command lets you tell the
ASA to consider all messages that are less than or equal to the specified size as keepalive messages and
not as traffic when updating the session timer. The range is 0 through 900 KB. The default is 4 KB.

To specify the upper limit of the HTTP/HTTPS traffic, per transaction, to ignore, use the
keep-alive-ignore command in group-policy attributes webvpn configuration mode:

hostname(config-group-webvpn)# keep-alive-ignore size

hostname(config-group-webvpn)#

The no form of the command removes this specification from the configuration:

hostname(config-group-webvpn)# no keep-alive-ignore

hostname(config-group-webvpn)#

The following example sets the maximum size of objects to ignore as 5 KB:

hostname(config-group-webvpn)# keep-alive-ignore 5

hostname(config-group-webvpn)#

Specifying HTTP Compression

Enable compression of http data over a clientless SSL VPN session for a specific group or user by
entering the http-comp command in the group policy webvpn mode.