1-47
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Connection Profiles, Group Policies, and Users
  Group Policies
• ikev1—Negotiates an IPsec IKEv1 tunnel between two peers (the Cisco VPN Client or another 
secure gateway). Creates security associations that govern authentication, encryption, 
encapsulation, and key management.
• ikev2—Negotiates an IPsec IKEv2 tunnel between two peers (the AnyConnect Secure Mobility 
Client or another secure gateway). Creates security associations that govern authentication, 
encryption, encapsulation, and key management.
• l2tp-ipsec—Negotiates an IPsec tunnel for an L2TP connection.
• ssl-client—Negotiates an SSL tunnel using TLS or DTLS with the AnyConnect Secure Mobility 
Client.
• ssl-clientless—Provides VPN services to remote users via an HTTPS-enabled web browser, and 
does not require a client.
Enter this command to configure one or more tunneling modes. You must configure at least one tunneling 
mode for users to connect over a VPN tunnel.
The following example shows how to configure the IPsec IKEv1 tunneling mode for the group policy 
named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# vpn-tunnel-protocol ikev1
hostname(config-group-policy)# 
Specifying a VLAN for Remote Access or Applying a Unified Access Control Rule to the Group 
Policy
Filters consist of rules that determine whether to allow or reject tunneled data packets coming through 
the ASA, based on criteria such as source address, destination address, and protocol. You can specify an 
IPv4 or IPv6 unified access control list for your group policy or allow it to inherit the ACLs specified in 
the Default Group Policy. To configure a new unfied ACL to use with your group see Adding ACLs and 
ACEs, page 26-2.
Choose one of the following options to specify an egress VLAN (also called “VLAN mapping”) for 
remote access or specify an ACL to filter the traffic:
• Enter the following command in group-policy configuration mode to specify the egress VLAN for 
remote access VPN sessions assigned to this group policy or to a group policy that inherits this group 
policy:
hostname(config-group-policy)# [no] vlan {vlan_id |none}
no vlan removes the vlan_id from the group policy. The group policy inherits the vlan value from 
the default group policy.
none
 removes the vlan_id from the group policy and disables VLAN mapping for this group policy. 
The group policy does not inherit the vlan value from the default group policy.
vlan_id is the number of the VLAN, in decimal format, to assign to remote access VPN sessions that 
use this group policy. The VLAN must be configured on this ASA per the instructions in  the 
“Configuring VLAN Subinterfaces and 802.1Q Trunking” section on page 10-31.
Note The egress VLAN feature works for HTTP connections, but not for FTP and CIFS.
• Specify the name of the access control rule (ACL) to apply to VPN session, using the vpn-filter 
command in group policy mode. You can specify an IPv4 or IPv6 ACL using the vpn-filter 
command.