30-40
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 30 Configuring Tunnel Groups, Group Policies, and Users
Group Policies
Configuring the Banner Message
Specify the banner, or welcome message, if any, that you want to display. The default is no banner. The
message that you specify is displayed on remote clients when they connect. To specify a banner, enter
the banner command in group-policy configuration mode. The banner text can be up to 510 characters
long. Enter the “\n” sequence to insert a carriage return.
Note A carriage-return/line-feed included in the banner counts as two characters.
To delete a banner, enter the no form of this command. Be aware that using the no version of the
command deletes all banners for the group policy.
A group policy can inherit this value from another group policy. To prevent inheriting a value, enter the
none keyword instead of specifying a value for the banner string, as follows:
hostname(config-group-policy)# banner {value banner_string | none}
The following example shows how to create a banner for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# banner value Welcome to Cisco Systems 7.0.
Configuring IPSec-UDP Attributes
IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN client or hardware client
connect via UDP to a security appliance that is running NAT. It is disabled by default. IPSec over UDP
is proprietary; it applies only to remote-access connections, and it requires mode configuration. The
security appliance exchanges configuration parameters with the client while negotiating SAs. Using
IPSec over UDP may slightly degrade system performance.
To enable IPSec over UDP, configure the ipsec-udp command with the enable keyword in group-policy
configuration mode, as follows:
hostname(config-group-policy)# ipsec-udp {enable | disable}
hostname(config-group-policy)# no ipsec-udp
To use IPSec over UDP, you must also configure the ipsec-udp-port command, as described below.
To disable IPSec over UDP, enter the disable keyword. To remove the IPSec over UDP attribute from
the running configuration, enter the no form of this command. This enables inheritance of a value for
IPSec over UDP from another group policy.
The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by
default). The VPN 3002 requires no configuration to use IPSec over UDP.
The following example shows how to set IPSec over UDP for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# ipsec-udp enable
If you enabled IPSec over UDP, you must also configure the ipsec-udp-port command in group-policy
configuration mode. This command sets a UDP port number for IPSec over UDP. In IPSec negotiations,
the security appliance listens on the configured port and forwards UDP traffic for that port even if other
filter rules drop UDP traffic. The port numbers can range from 4001 through 49151. The default port
value is 10000.
To disable the UDP port, enter the no form of this command. This enables inheritance of a value for the
IPSec over UDP port from another group policy.
To Next Page
Loading...
Need help?
General