Skip to main content



Cisco Defense Orchestrator

Create New ASA RA VPN Group Policies

A group policy is a set of user-oriented attribute/value pairs for remote access VPN connections. The connection profile uses a group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user. 

The system includes a default group policy named "DfltGrpPolicy". You can create additional group policies to provide the services you require.

Note: You cannot add inconsistent group policy objects to RA VPN configuration. Resolve all inconsistencies before adding the group policy to the RA VPN Configuration.


  1. In the CDO navigation bar at the left, click Objects
  2. Click the blue plus blue_cross_button.png button.
  3. Click   RA VPN Objects (ASA & FTD) RA VPN Group Policy
  4. Enter a name for the group policy. The name can be up to 64 characters and spaces are allowed.
  5. In the Device Type drop-down, select ASA.
  6. Do any of the following:
  7. Click Add to create the group policy.

General Attributes 

The general attributes of a group policy define the name of the group and some other basic settings. 

  • DNS Server: Enter the IP address(s) of DNS servers for domain name resolution when connected to the VPN. You can separate the addresses using a comma. 
  • Banner: The banner text, or welcome message, to present to users at login. The default is no banner. The length can be up to 496 characters. The AnyConnect client supports partial HTML. To ensure that the banner displays properly to remote users, use the <BR> tag to indicate line breaks.
  • Default Domain: The default domain name for users in the RA VPN. For example, This domain is added to hostnames that are not fully-qualified, for example, serverA instead of

AnyConnect Client Profiles

Cisco AnyConnect VPN client offers enhanced security through various built-in modules. These modules provide services such as web security, network visibility into endpoint flows, and off-network roaming protection. Each client module includes a client profile that includes a group of custom configurations as per your requirement.

You can select the AnyConnect VPN profile object and AnyConnect modules to be downloaded to clients when the VPN user downloads the VPN AnyConnect client software. 

  1. Choose or create an AnyConnect VPN profile object. See Upload RA VPN AnyConnect Client Profile. Except for DART and Start Before Login modules, the AnyConnect VPN profile object must be selected.
  2. Click Add Any Connect Client Module
    The following AnyConnect modules are optional and you can configure these modules to be downloaded with VPN AnyConnect client software:
    • AMP Enabler — Deploys advanced malware protection (AMP) for endpoints.

    • DART — Captures a snapshot of system logs and other diagnostic information, which can be sent to the Cisco TAC for troubleshooting.

    • Feedback —  Provides information about the features and modules customers have enabled and used.

    • ISE Posture — Uses the OPSWAT library to perform posture checks to assess an endpoint's compliance.

    • Network Access Manager — Provides 802.1X (Layer 2) and device authentication to access both wired and wireless networks.

    • Network Visibility — Enhances the enterprise administrator's ability to do capacity and service planning, auditing, compliance, and security analytics.

    • Start Before Login — Forces the user to connect to the enterprise infrastructure over a VPN connection before logging on to Windows by starting AnyConnect before the Windows login dialog box appears.

    • Umbrella Roaming Security — Provides DNS-layer security when no VPN is active.

    • Web Security — Analyzes the elements of a web page, allows acceptable content, and blocks malicious or unacceptable content based on a defined security policy.

  3. In the Client Module list, select an AnyConnect module.

  4. In the Profile list, choose or create a profile object containing an AnyConnect Client Profile. 

  5. Select Enable Module Download to enable endpoints to download the client module along with the profile. If not selected, the endpoints can download only the client profile.

Session Setting Attributes 

The session settings of a group policy control how long users can connect through the VPN and how many separate connections they can establish.

  • Maximum Connection Time: The maximum length of time, in minutes, that users can stay connected to the VPN without logging out and reconnecting, from 1- 4473924 or blank. The default is unlimited (blank), but the idle timeout still applies.
  • Connection Time Alert Interval: If you specify a maximum connection time, the alert interval defines the amount of time before the maximum time is reached to display a warning to the user about the upcoming automatic disconnect. The user can choose to end the connection and reconnect to restart the timer. The default is 1 minute. You can specify 1 to 30 minutes.
  • Idle Time: The length of time, in minutes, that the VPN connection can be idle before it is automatically closed, from 1-35791394. If there is no communication activity on the connection for this consecutive number of minutes, the system stops the connection. The default is 30 minutes.
  • Idle Time Alert Interval: The amount of time before the idle time is reached to display a warning to the user about the upcoming automatic disconnect due to an idle session. Any activity resets the timer. The default is 1 minute. You can specify 1 to 30 minutes.
  • Simultaneous Login Per User: The maximum number of simultaneous connections allowed for a user. The default is 3. You can specify 1 to 2147483647 connections. Allowing many simultaneous connections might compromise security and affect performance.

Address Assignment Attributes 

The address assignment attributes of a group policy define the IP address pool for the group. The pool defined here overrides the pool defined in any connection profile that uses this group. Leave these settings blank if you want to use the pool defined in the connection profile.

  • IPv4 Address Pool, IPv6 Address Pool: These options define the address pools for the remote endpoints. Clients are assigned an address from these pools based on the IP version they use to make the VPN connection. Select the IP address pool that defines a subnet for each IP type you want to support. Leave the list empty if you do not want to support that IP version. For example, you could define an IPv4 pool as The address pool cannot be on the same subnet as the IP address for the outside interface.
    To create a new IPv4 Address Pool or a new IPv6 Address Pool. You can specify a list of up to six address pools to use for local address allocation. The order in which you specify the pools is significant. The system allocates addresses from these pools in the order in which the pools appear.
    Note: You can configure both IPv4 and IPv6 address pools for the same group policy. If both versions of IP addresses are configured in the same group policy, clients configured for IPv4 will get an IPv4 address, clients configured for IPv6 will get an IPv6 address, and clients configured for both IPv4 and IPv6 addresses will get both an IPv4 and an IPv6 address.
  • DHCP Scope: If you configure DHCP servers for the address pool in the connection profile, the DHCP scope identifies the subnets to use for the pool for this group. The DHCP server must also have addresses in the same pool identified by the scope. The scope allows you to select a subset of the address pools defined in the DHCP server to use for this specific group.
    If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.
    To specify a scope, enter the network object that contains the network number host address. For example, to tell the DHCP server to use addresses from the subnet pool, enter a network object that specifies as a host address. You can use DHCP for IPv4 addressing only.

Split Tunneling Attributes 

The split tunneling attributes of a group policy define how the system should handle traffic meant for the internal network vs. externally-directed traffic. Split tunneling directs some network traffic through the VPN tunnel (encrypted) and the remaining network traffic outside the VPN tunnel (unencrypted or in clear text).

Typically, in remote access VPN, you might want the VPN users to access the Internet through your device. However, you can allow your VPN users to access an outside network while they are connected to an RA VPN. This technique is called split tunneling or hair pinning. The split tunnel allows VPN connectivity to a remote network across a secure tunnel, and it also allows connectivity to a network outside the VPN tunnel. Split tunneling reduces the network load on the FTD devices and increases the bandwidth on the outside interface. 

Before you begin

For creating a split tunnel policy for IPv4 networks and another for IPv6 networks, the access-list you specify is used for both protocols. So, the access-list should contain access control entries (ACEs) for both IPv4 and IPv6 traffic.

When an ASA device is onboarded to CDO, it reads the extended ACLs associated with the device. See Split Tunnel Configuration for more information. If you want to create new ACLs, see ASA Policies (Extended access-list) to create them. Note: Ensure that you specify the network intended for split tunneling as the source network in the ACL you are creating.

  • IPv4 Split TunnelingIPv6 Split Tunneling: You can specify different options based on whether the traffic uses IPv4 or IPv6 addresses, but the options for each are the same. If you want to enable split tunneling, specify one of the options that require you to select network objects. 
    • Allow all traffic over tunnel: Do no split tunneling. Once the user makes an RA VPN connection, all the user’s traffic goes through the protected tunnel. This is the default. It is also considered the most secure option.
    • Allow specified traffic over the tunnel: Select the extended access list that defines the source network. Any traffic from these sources goes through the protected tunnel. The client routes traffic from any other source to connections outside the tunnel (such as a local Wi-Fi or network connection).
    • Exclude networks specified below: Select the network objects that define the source network. The client routes any traffic from these sources to connections outside the tunnel. Traffic from any other source goes through the tunnel. 
    • Network List: Select the extended ACL network that can have both IPv4 and IPv6 networks.
  • Split DNS—You can configure the system to send some DNS requests through the secure connection while allowing the client to send other DNS requests to the DNS servers configured on the client. You can configure the following DNS behavior:
    • Send DNS Request as per split tunnel policy: With this option, DNS requests are handled the same way as the split tunnel options are defined. If you enable split tunneling, DNS requests are sent based on the destination addresses. If you do not enable split tunneling, all DNS requests go over the protected connection.
    • Always send DNS requests over tunnel: Select this option if you enable split tunneling, but you want all DNS requests sent through the protected connection to the DNS servers defined for the group.
    • Send only specified domains over tunnel: Select this option if you want your protected DNS servers to resolve addresses for certain domains only. Then, specify those domains, separating domain names with commas. For example,, Use this option if you want your internal DNS servers to resolve names for internal domains, while external DNS servers handle all other Internet traffic.

AnyConnect Attributes 

The AnyConnect attributes of a group policy define some SSL and connection settings used by the AnyConnect client for a remote access VPN connection.

  • SSL Settings
    • Enable Datagram Transport Layer Security (DTLS): Whether to allow the AnyConnect client to use two simultaneous tunnels: an SSL tunnel and a DTLS tunnel. Using DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays. If you do not enable DTLS, AnyConnect client users establishing SSL VPN connections connect with an SSL tunnel only.
    • DTLS Compression: Whether to compress Datagram Transport Layer Security (DTLS) connections for this group using LZS. DTLS Compression is disabled by default.
    • SSL Compression: Whether to enable data compression, and if so, the method of data compression to use, Deflate, or LZS. SSL Compression is Disabled by default. Data compression speeds up transmission rates but also increases the memory requirement and CPU usage for each user session. Therefore, SSL compression decreases the overall throughput of the device.
    • SSL Rekey MethodSSL Rekey Interval: The client can rekey the VPN connection, renegotiating the crypto keys and initialization vectors, to increase the security of the connection. Disable rekeying by selecting None. To enable rekey, select New Tunnel to create a new tunnel each time. (The Existing Tunnel option results in the same action as New Tunnel.) If you enable rekeying, also set the rekey interval, which is 4 minutes by default. You can set the interval to 4-10080 minutes (1 week).
  • Connection Settings 
    • Ignore the DF (Don't Fragment) bit: Whether to ignore the Don't Fragment (DF) bit in packets that need fragmentation. Select this option to allow the forced fragmentation of packets that have the DF bit set, so that these packets can pass through the tunnel.
    • Client Bypass Protocol—Allows you to configure how the secure gateway manages IPv4 traffic (when it is expecting only IPv6 traffic), or how it manages IPv6 traffic (when it is expecting only IPv4 traffic).

      When the AnyConnect client makes a VPN connection to the headend, the headend assigns it an IPv4, IPv6, or both an IPv4 and IPv6 address. If the headend assigns the AnyConnect connection only an IPv4 address or only an IPv6 address, you can configure the Client Bypass Protocol to drop network traffic for which the headend did not assign an IP address (default, disabled, not checked), or allow that traffic to bypass the headend and be sent from the client unencrypted or “in the clear” (enabled, checked).

      For example, assume that the secure gateway assigns only an IPv4 address to an AnyConnect connection and the endpoint is dual-stacked. When the endpoint attempts to reach an IPv6 address, if Client Bypass Protocol is disabled, the IPv6 traffic is dropped; however, if Client Bypass Protocol is enabled, the IPv6 traffic is sent from the client in the clear.

    • MTU: The maximum transmission unit (MTU) size for SSL VPN connections established by the Cisco AnyConnect VPN Client. The default is 1406 bytes. The range is 576 to 1462 bytes.

      • Keepalive Messages Between AnyConnect and VPN Gateway: Whether to exchange keepalive messages between peers to demonstrate that they are available to send and receive data in the tunnel. Keepalive messages transmit at set intervals. The default interval is 20 seconds, and the valid range is 15 to 600 seconds.

      • DPD on Gateway Side IntervalDPD on Client Side Interval: Enable Dead Peer Detection (DPD) to ensure that the VPN gateway or VPN client quickly detects when the peer is no longer responding. You can separately enable gateway or client DPD. The default interval is 30 seconds for sending DPD messages. The interval can be 5-3600 seconds.

Traffic Filters Attributes 

The traffic filter attributes of a group policy define restrictions you want to place on users assigned to the group. You can use these attributes instead of creating access control policy rules to restrict RA VPN users to specific resources, based on host or subnet address and protocol, or VLAN.
By default, RA VPN users are not restricted by the group policy from accessing any destination on your protected network. 

  • Access List Filter: Restrict access using an extended access control list (ACL). Select the Smart CLI Extended ACL object.
    The extended ACL lets you filter based on source address, a destination address, and protocol (such as IP or TCP). ACLs are evaluated on a top-down, first-match basis, so ensure that you place specific rules before more general rules. There is an implicit “deny any” at the end of the ACL, so if you intend to deny access to a few subnets while allowing all other access, ensure that you include a “permit any” rule at the end of the ACL.

    Because you cannot create network objects while editing an extended ACL Smart CLI object, you should create the ACL before editing the group policy. Otherwise, you might need to simply create the object, then go back later to create the network objects and then all the access control entries that you need. To create the ACL, log in to FDM, go to Device Advanced Configuration Smart CLI Objects, create an object, and select Extended Access List as the object type. 
  • Restrict VPN to VLAN: Also called “VLAN mapping,” this attribute specifies the egress VLAN interface for sessions to which this group policy applies. The system forwards all traffic from this group to the selected VLAN.

    Use this attribute to assign a VLAN to the group policy to simplify access control. Assigning a value to this attribute is an alternative to using an ACL to filter traffic on a session. Ensure that you specify a VLAN number that is defined on a subinterface on the device. Values range from 1 to 4094.

Windows Browser Proxy Attributes 

The Windows browser proxy attributes of a group policy determine how, and whether, a proxy defined on the user’s browser operates. 

You can select one of the following values for Browser Proxy During VPN Session

  • No change in endpoint settings: Allow the user to configure (or not configure) a browser proxy for HTTP and use the proxy if it is configured.
  • Disable browser proxy: Do not use the proxy defined for the browser, if any. No browser connections will go through the proxy.
  • Auto detect settings: Enable the use of automatic proxy server detection in the browser for the client device.
  • Use custom settings: Define a proxy that should be used by all client devices for HTTP traffic. Configure the following settings: 
    • Proxy Server IP or HostnamePort: The IP address, or hostname, of the proxy server, and the port used for proxy connections by the proxy server. The host and port combined cannot exceed 100 characters.
    • Browser Proxy Exemption List: Connections to the hosts/ports in the exemption list do not go through the proxy. Add all the host/port values for destinations that should not use the proxy. For example, port 80. Click Add proxy exemption to add items to the list. Click the trash can icon to delete items. The entire proxy exception list, combining all addresses and ports, cannot be longer than 255 characters.