1-58
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Connection Profiles, Group Policies, and Users
  Group Policies
hostname(config-group-policy)#
The netmask variable provides the subnet mask for the tunnel IP address. The no form of this command 
removes the DHCP intercept from the configuration:
[no] intercept-dhcp
The following example shows how to set DHCP Intercepts for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# intercept-dhcp enable
Setting Up a Split Exclusion Policy for Web Security
Information about Cloud Web Security
The AnyConnect Web Security module is an endpoint component that routes HTTP traffic to a Cisco 
Cloud Web Security scanning proxy where Cisco Cloud Web Security evaluates it. Cisco Cloud Web 
Security deconstructs the elements of a Web page so that it can analyze each element simultaneously. It 
blocks potentially harmful content and allows benign content to come through.
With many Cisco Cloud Web Security scanning proxies spread around the world, users taking advantage 
of AnyConnect Web Security are able to route their traffic to the Cisco Cloud Web Security scanning 
proxy with the fastest response time to minimize latency. 
When a user has established a VPN session, all network traffic is sent through the VPN tunnel. However, 
when AnyConnect users are using web security, the HTTP traffic originating at the endpoint needs to be 
excluded from the tunnel and sent directly to the Cloud Web Security scanning proxy. 
To set up the split tunnel exclusions for traffic meant for the Cloud Web Security scanning proxy, use 
the Set up split exclusion for Web Security button in a group policy.
Prerequisites
• You need to have access to the ASA using ASDM. This procedure cannot be performed using the 
command line interface.
• Web security needs to be configured for use with the AnyConnect client. See Configuring Web 
Security in the AnyConnect Secure Mobility Client Administrator Guide.
• You have created a Group Policy and assigned it a Connection Profile for AnyConnect clients 
configured with Web Security.
Detailed Steps
Step 1 Start an ASDM session for the head end you want to configure and select Remote Access VPN > 
Configuration > Group Policies.
Step 2 Select the Group Policy you want to configure and click Edit.
Step 3 Select Advanced > Split Tunneling.
Step 4 Click Set up split exclusion for Web Security.
Step 5 Enter a new, or select an existing, access list used for Web Security split exclusion. ASDM will set up 
the access list for use in the network list.
Step 6 Click Create Access List for a new list or Update Access List for an existing list.