Clear up confusion between Connection Profiles and tunnel-groups on the Cisco ASA

CCIE Brandon Carroll explains how Connection Profiles fit into the Group Policy mix on the Cisco ASA firewall. Here is a tip about how to use the Preview Commands option to help you understand both the GUI and CLI terminology on the ASA.

When  I was preparing for the CCIE exam I did everything from the command line. That's just how you do things as a CCIE candidate. However, when I teach businesses and CCNP Security candidates how to configure an ASA for firewall and VPN services in their environment, I almost always use ASDM. Whether one should use a GUI interface to configure Cisco devices or not is an argument that has been running for a long time. This is not another one of those posts to spark that conversation again. Rather, I find it useful to be able to understand the back-end configuration that is provided by ASDM, even if you don't use ASDM. A great use case hit me head-on a few weeks back.

Bridging the gap between ASA Commands and ASDM configurations

I manage a small network at the company where I work. We have an ASA at the perimeter and it services VPN connections for a mobile sales and instructional team. The Manager of IS called me and said, "Hey Brandon, I have a VPN configured but I don't know the difference between the policy applied by the Connection Profile and the policy that comes from the Group-Policy that you have configured." Well I know that the policy hierarchy is:

User > Tunnel-Group > Group Policy > Default_Group

But where exactly does a "Connection Profile" fit in?

To begin, let's examine where we would see a Connection Profile. In Figure A, we are viewing ASDM, and we have navigated to Configure>Remote Access VPN>Clientless SSL VPN Access>Connection Profiles.

Figure A

While I have a few Connection Profiles created already, there's a very simple way to figure out how these Connection Profiles fit into the mix. To begin, you'll need to select Tools>Preferences, as seen in Figure B.

Figure B

This opens the preferences pane. What's important here is that we want to preview the commands before sending them to the CLI. This is the key. It allows us to see the backend commands that the ASDM GUI sends to the ASA CLI. Ensure that its selected as seen below.

Figure C

Once you've enabled the option, click OK. Now, to determine how the Connection Profile fits into the VPN Policy Hierarchy, simply add a test Connection Profile as seen in the following figure.

Figure D

What you notice right off the bat is that the default name for the Connection Profile is "TunnelGroup1." Further, when you click OK, and then apply the configuration, it becomes even more clear that a Connection Profile is actually a tunnel-group when you preview the commands before they are sent to the CLI, as you can see in Figure E.

Figure E

While the GUI may use slightly different terminology, it all comes down to how it's applied on the CLI. This is why I believe it's useful for anyone managing the ASA to know both the GUI and the CLI. Also, the Preview Commands options should be enabled on all of your ASDM connections until you do.