Solved: Group-Policy and Inheritence

eddie.harmoush · ‎05-17-2013

I have a Group-Policy created with all the attributes that my SVC clients should be using -- this GP is called GP-SVC. My client wants to add different access-levels for different sets of users. I would like to do this by having three new Group-Policies inherit attributes from GP-SVC, except for the VPN Filter ACL which will be different on each of these "child" GP.

So here is how I want inheritence to work:

DfltGrpPolicy

|

+-- GP-SVC

|

+--GP-SVC-Users

+--GP-SVC-Devs

+--GP-SVC-Admins

But for some reason, its not letting me choose a group to inherit attributes from for my child GPs:

asa5505# show run group-policy GP-SVC

group-policy GP-SVC internal

group-policy GP-SVC attributes

dns-server value 172.17.96.181

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-SVC

default-domain value something.local

split-dns value something.local

address-pools value SVC-POOL

asa5505(config)# group-policy GP-SVC-Users internal ?

configure mode commands/options:

from Specify group to initialize attributes from

asa5505(config)# group-policy GP-SVC-Users internal from GP-SVC

ERROR: source group GP-SVC does not exist

Anyone have any ideas as to what I'm doing wrong? My goal was for the "child" group-policies to only have one attribute assigned, the VPN Filter, and for the rest of their attributes to be inherited from GP-SVC.

My Device:

Cisco Adaptive Security Appliance Software Version 8.2(5)3

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

Julio Carvajal · ‎05-21-2013

Hello Eddie,

What happens if you do a show run group-policy.. On my side I got the same error but the configuration was applied to the new group.. Odd enough

Example of outputs taken from an ASA

group-policy CSC internal

group-policy CSC attributes

dns value 4.2.2.2

ciscoasa(config)# sh run group-policy

group-policy CSC internal

group-policy CSC attributes

dns-server value 4.2.2.2

ciscoasa(config)#

group-policy test internal from CSC

ERROR: source group CSC does not exist

ciscoasa(config)# sh run group-policy

group-policy test internal

group-policy test attributes

dns-server value 4.2.2.2

group-policy CSC internal

group-policy CSC attributes

dns-server value 4.2.2.2

ciscoasa(config)#

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

eddie.harmoush · ‎05-21-2013

Bump.

Any help on this would be greatly appreciated

Julio Carvajal · ‎05-21-2013

Hello Eddie,

What happens if you do a show run group-policy.. On my side I got the same error but the configuration was applied to the new group.. Odd enough

Example of outputs taken from an ASA

group-policy CSC internal

group-policy CSC attributes

dns value 4.2.2.2

ciscoasa(config)# sh run group-policy

group-policy CSC internal

group-policy CSC attributes

dns-server value 4.2.2.2

ciscoasa(config)#

group-policy test internal from CSC

ERROR: source group CSC does not exist

ciscoasa(config)# sh run group-policy

group-policy test internal

group-policy test attributes

dns-server value 4.2.2.2

group-policy CSC internal

group-policy CSC attributes

dns-server value 4.2.2.2

ciscoasa(config)#

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

eddie.harmoush · ‎05-22-2013

Hi jcarvaja

Looks like you're right. Strange that it errors out:

student10# show run group-policy

group-policy PARENT internal

group-policy PARENT attributes

dns-server value 1.1.1.1 1.1.1.2

vpn-access-hours none

vpn-idle-timeout 111

vpn-session-timeout 111

split-dns value one.com one.one.com one.one.one.com

student10#

student10# conf t

student10(config)# group-policy CHILDa internal from PARENT

ERROR: source group PARENT does not exist

student10(config)#

student10(config)# show run group-policy

group-policy PARENT internal

group-policy PARENT attributes

dns-server value 1.1.1.1 1.1.1.2

vpn-access-hours none

vpn-idle-timeout 111

vpn-session-timeout 111

split-dns value one.com one.one.com one.one.one.com

group-policy CHILDa internal

group-policy CHILDa attributes

dns-server value 1.1.1.1 1.1.1.2

vpn-access-hours none

vpn-idle-timeout 111

vpn-session-timeout 111

split-dns value one.com one.one.com one.one.one.com

student10(config)#

So it creates the CHILD GP, but it only copies the configurtion, doesn't truly inherit. Which is to say, if I make a change to the parent group, it is not replicated to the child:

student10(config)#

student10(config)# group-policy PARENT attributes

student10(config-group-policy)# dns-server value 3.3.3.3

student10(config-group-policy)# exit

student10(config)# exit

student10# show run group-policy

group-policy PARENT internal

group-policy PARENT attributes

dns-server value 3.3.3.3

vpn-access-hours none

vpn-idle-timeout 111

vpn-session-timeout 111

split-dns value one.com one.one.com one.one.one.com

group-policy CHILDa internal

group-policy CHILDa attributes

dns-server value 1.1.1.1 1.1.1.2

vpn-access-hours none

vpn-idle-timeout 111

vpn-session-timeout 111

split-dns value one.com one.one.com one.one.one.com

I guess I have my answer then, the "from" keyword is to simply copy the settings from another group-policy, not set up a parent-child relationship.

Thanks for your help, Jcarvaja. I'll mark your respone as the answer.

Julio Carvajal · ‎05-22-2013

Hello Eddie,

My pleasure to help,

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC