ASA tunnel-group

When configuring IPSec on an ASA device, the tunnel-group command is used to configure what is called “the database of connection-specific records”. This database contains tunnel-specific information that is necessary to establish and maintain the tunnel. This information includes the type of tunnel being created.

The command has the following format:

tunnel-group name type type

Where the type can be either remote-access or ipsec-l2l

Once configured, there are then various other configuration modes under which additional parameters and attributes can be configured. These include:

  • tunnel-group general-attributes
  • tunnel-group ipsec-attributes
  • tunnel-group webvpn-attributes
  • tunnel-group ppp-attributes

The tunnel group is typically used when you want to define different rules for different connections. Most often you will use it for VPN clients to connect with different rules such as when you're implementing EZVPN. However, it is possible to not use it such as the case when you use a crypto map with an IPSec profile.