Implementing Profiles, Group Policies, and User Policies

Overview

Cisco ASA uses a flexible and scalable configuration scheme to meet different requirements for all types of VPNs supported. There are two major components in the process of VPN configuration:

1. Connection profiles, also known as tunnel groups from the CLI, which define the prelogin requirements of a VPN session. A connection profile separates all VPN sessions into groups based on requirements such as AAA method used or connection method/protocol used, to apply different security policies on each group or user.

2. Group policies, which define the postlogin security policies applied, such as traffic filtering (authorization) or time restrictions.

Because multiple options exist for enforcing the same or maybe conflicting policies for a remote-access VPN session, ASA uses a hierarchical policy inheritance model with the following priority philosophy, starting from the highest priority: