Specifications
25-11
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
Chapter 25 Configuring Tunnel Groups, Group Policies, and Users
Group Policies
Default Group Policy
The security appliance supplies a default group policy. You can modify this default group policy, but you
cannot delete it. A default group policy, named “DfltGrpPolicy”, always exists on the security appliance,
but this default group policy does not take effect unless you configure the security appliance to use it.To
view the default group policy, enter the following command:
hostname(config)# show running-config all group-policy DfltGrpPolicy
To configure the default group policy, enter the following command:
hostname(config)# group-policy DfltGrpPolicy internal
Note The default group policy is internal. Despite the fact that the command syntax is
hostname(config)#
group-policy DfltGrpPolicy {internal | external}, you cannot change the type
to external.
If you want to change any of the attributes of the group policy, use the group-policy attributes command
to enter attributes mode, then specify the commands to change whatever attributes that you want to
modify:
hostname(config)# group-policy DfltGrpPolicy attributes
Note The attributes mode applies only for internal group policies.
The default group policy that the security appliance provides, “DfltGrpPolicy”, is as follows:
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
wins-server none
dns-server none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
banner none
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none