ASDM 5.2 User Guide
VPN General
Downloads: This chapterpdf (PDF - 860.0KB) The complete bookPDF (PDF - 11.14MB) | Feedback

General

Table Of Contents

General

Client Update

Edit Client Update Entry

Default Tunnel Gateway

Group Policy

Add/Edit External Group Policy

Add AAA Server Group

Add/Edit Internal Group Policy > General Tab

Browse Time Range

Add/Edit Time Range

Add/Edit Recurring Time Range

ACL Manager

Standard ACL Tab

Extended ACL Tab

Add/Edit/Paste ACE

Browse Source/Destination Address

Browse Source/Destination Port

Add TCP Service Group

Browse ICMP

Add ICMP Group

Browse Other

Add Protocol Group

Add/Edit Internal Group Policy > IPSec Tab

Add/Edit Client Access Rule

Add/Edit Internal Group Policy > Client Configuration Tab

Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab

View/Config Banner

Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab

Add/Edit Internal Group Policy > Client Configuration Tab > Microsoft Client Parameters Tab

Add/Edit Standard Access List Rule

Add/Edit Internal Group Policy > Client Firewall Tab

Add/Edit Internal Group Policy > Hardware Client Tab

Add/Edit Internal Group Policy > NAC Tab

Add/Edit Posture Validation Exception

WebVPN Tab > Functions Tab

Add/Edit Group Policy > WebVPN Tab > Content Filtering Tab

Add/Edit Group Policy > WebVPN Tab > Homepage Tab

Add/Edit Group Policy > WebVPN Tab > Port Forwarding Tab

Add/Edit Port Forwarding List

Add/Edit Port Forwarding Entry

Add/Edit Group Policy > WebVPN Tab > Other Tab

Add/Edit Server and URL List

Add/Edit Server or URL

Add/Edit Group Policy > WebVPN Tab > SSL VPN Client Tab

Add/Edit Group Policy > WebVPN Tab > Auto Signon Tab

ACLs

Tunnel Group

Add/Edit Tunnel Group > General Tab > Basic Tab

Add/Edit Tunnel Group > General Tab > Authentication Tab

Add/Edit Tunnel Group > General Tab > Authorization Tab

Add/Edit Tunnel Group > General Tab > Accounting Tab

Add/Edit Tunnel Group > General Tab > Client Address Assignment Tab

Add/Edit Tunnel Group > General Tab > Advanced Tab

Add/Edit Tunnel Group > IPSec for Remote Access > IPSec Tab

Add/Edit Tunnel Group > PPP Tab

Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General Tab > Basic Tab

Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec Tab

Add/Edit Tunnel Group > WebVPN Access > General Tab > Basic Tab

Add/Edit Tunnel Group > WebVPN Tab > Basic Tab

Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab

Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab > Add/Edit NetBIOS Server

Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Group Aliases and URLs Tab

Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Web Page Tab

VPN System Options

Zone Labs Integrity Server

Easy VPN Remote

Advanced Easy VPN Properties


General


A virtual private network is a network of virtual circuits that carry private traffic over a public network such as the Internet. VPNs can connect two or more LANS, or remote users to a LAN. VPNs provide privacy and security by requiring all users to authenticate and by encrypting all data traffic.

This section describes the general VPN configuration attributes, including the following:

Client Update

Default Tunnel Gateway

Group Policy

Browse Time Range

ACL Manager

Tunnel Group

VPN System Options

Zone Labs Integrity Server

Easy VPN Remote

Advanced Easy VPN Properties

Client Update

The Client Update window lets administrators at a central location do the following actions:

Enable the update; specify the types and revision numbers of clients to which the update applies

Provide a URL or IP address from which to get the update

In the case of Windows clients, optionally notify users that they should update their VPN client version.


Note The Client Update function at Configuration > VPN > General > Client Update applies only to Windows clients and VPN 3002 hardware clients.


For Windows clients, you can provide a mechanism for users to accomplish that update. For VPN 3002 hardware client users, the update occurs automatically, with no notification. You can apply client updates only to the IPSec remote-access tunnel-group type.


Note If you try to do a client update to an IPSec LAN-to-LAN tunnel group or a WebVPN tunnel group, you do not receive an error message, but no update notification or client update goes to those types of tunnel groups.


To enable client update globally for all clients of a particular client type, use this window. You can also notify all Windows clients that an upgrade is needed and initiate an upgrade on all VPN 3002 hardware clients from this window. To configure the client revisions to which the update applies and the URL or IP address from which to download the update, click Edit.

To configure client update revisions and software update sources for a specific tunnel group, see Configuration > VPN > General > Tunnel Group > Add/Edit > IPSec Tab > Client VPN Software Update Table.

Fields

Enable Client Update—Enables or disables client update, both globally and for specific tunnel groups. You must enable client update before you can send a client update notification to Windows VPN clients or initiate an automatic update to hardware clients.

Client Type—Lists the clients to upgrade: software or hardware, and for software clients, all Windows clients or a subset. If you click All Windows Based, do not specify Windows 95, 98 or ME and Windows NT, 2000 or XP individually. The hardware client gets updated with a release of the ASA 5505 software or of the VPN 3002 hardware client.

VPN Client Revisions—Contains a comma-separated list of software image revisions appropriate for this client. If the user's client revision number matches one of the specified revision numbers, there is no need to update the client, and, for Windows-based clients, the user does not receive an update notification. The following caveats apply:

The revision list must include the software version for this update.

Your entries must match exactly those on the URL for the VPN client, or the TFTP server for the hardware client.

The TFTP server for distributing the hardware client image must be a robust TFTP server.

A VPN client user must download an appropriate software version from the listed URL.

The VPN 3002 hardware client software is automatically updated via TFTP, with no notification to the user.

Image URL—Contains the URL or IP address from which to download the software image. This URL must point to a file appropriate for this client. For Windows-based clients, the URL must be in the form: http:// or https://. For hardware clients, the URL must be in the form tftp://.

For Windows-based VPN clients: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for HTTP or 443 for HTTPS.

For the hardware client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin

Edit—Opens the Edit Client Update Entry dialog box, which lets you configure or change client update parameters. See Edit Client Update Entry.

Live Client Update—Sends an upgrade notification message to all currently connected VPN clients or selected tunnel group(s).

Tunnel Group—Selects all or specific tunnel group(s) for updating.

Update Now—Immediately sends an upgrade notification containing a URL specifying where to retrieve the updated software to the currently connected Windows VPN clients in the selected tunnel group or all connected tunnel groups. The message includes the location from which to download the new version of software. The administrator for that VPN client can then retrieve the new software version and update the VPN client software.

For VPN 3002 hardware clients, the upgrade proceeds automatically, with no notification.

You must check Enable Client Update in the window for the upgrade to work. Clients that are not connected receive the upgrade notification or automatically upgrade the next time they log on.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit Client Update Entry

The Edit Client Update dialog box lets you change information about VPN client revisions and URLs for the indicated client types. The clients must be running one of the revisions specified for the indicated client type. If not, the clients are notified that an upgrade is required.

Fields

Client Type—(Display-only) Displays the client type selected for editing.

VPN Client Revisions—Lets you type a comma-separated list of software or firmware images appropriate for this client. If the user's client revision number matches one of the specified revision numbers, there is no need to update the client. If the client is not running a software version on the list, an update is in order. The user of a Windows-based VPN client must download an appropriate software version from the listed URL. The VPN 3002 hardware client software is automatically updated via TFTP.

Image URL—Lets you type the URL for the software/firmware image. This URL must point to a file appropriate for this client.

For a Windows-based VPN client, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe
 
   

The directory is optional. You need the port number only if you use ports other than 80 for HTTP or 443 for HTTPS.

For the hardware client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin

The directory is optional.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Default Tunnel Gateway

To configure the default tunnel gateway, click the Static Route link in this window. The Configuration > Routing > Routing > Static Route window opens.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Group Policy

The Group Policy window lets you manage VPN group policies. A VPN group policy is a collection of user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS or LDAP server. Configuring the VPN group policy lets users inherit attributes that you have not configured at the individual group or username level. By default, VPN users have no group policy association. The group policy information is used by VPN tunnel groups and user accounts.

The "child" windows, tabs, and dialog boxes let you configure the default group parameters. These parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can "inherit" parameters from this default group, and users can "inherit" parameters from their group or the default group. You can override these parameters as you configure groups and users.

If you click the Add dialog box, a small menu appears giving you the option to create a new internal group policy, or an external group policy that is stored externally on a RADIUS or LDAP server. Both the Add Internal Group Policy window and the Edit Group Policy window include six tabbed sections. If you click the WebVPN tab, you expose six additional tabs. Click each tab to display its parameters. As you move from tab to tab, the security appliance retains your settings. When you have finished setting parameters on all tabbed sections, click OK or Cancel.

In these dialog boxes, you configure the following kinds of parameters:

General Parameters: Protocols, filtering, connection settings, and servers.

IPSec Parameters: IP Security tunneling protocol parameters and client access rules.

Client Configuration Parameters: Banner, password storage, split-tunneling policy, default domain name, IPSec over UDP, backup servers.

Client FW Parameters: VPN Client personal firewall requirements.

Hardware Client Parameters: Interactive hardware client and individual user authentication; network extension mode.

WebVPN Parameters: SSL VPN access.

Before configuring these parameters, you should configure:

Access hours.

Rules and filters.

IPSec Security Associations.

Network lists for filtering and split tunneling

User authentication servers, and specifically the internal authentication server.

Fields

Group Policy—Contains a table listing the currently configured group policies and Add, Edit, and Delete buttons to help you manage VPN group policies.

Name—Lists the name of the currently configured group policies.

Type—Lists the type of each currently configured group policy.

Tunneling Protocol—Lists the tunneling protocol that each currently configured group policy uses.

AAA Server Group—Lists the AAA server group, if any, to which each currently configured group policy pertains.

Add—Displays the Add Group Policy dialog box, which lets you add a new AAA group policy to the list. This screen includes seven tabbed sections. Click each tab to display its parameters. As you move from tab to tab, ASDM retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel.

Edit—Displays the Edit Group Policy dialog box, which lets you modify an existing AAA group policy.

Delete—Lets you remove a AAA group policy from the list. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit External Group Policy

The Add or Edit External Group Policy dialog box lets you configure an external group policy.

Fields

Name—Identifies the group policy to be added or changed. For Edit External Group Policy, this field is display-only.

Server Group—Lists the available server groups to which to apply this policy.

Password—Specifies the password for this server group policy.

New—Opens a dialog box that lets you select whether to create a new RADIUS server group or a new LDAP server group. Either of these options opens the Add AAA Server Group dialog box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add AAA Server Group

The Add AAA Server Group dialog box lets you configure a new AAA server group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

Fields

Server Group—Specifies the name of the server group.

Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group.

Accounting Mode—Indicates whether to use simultaneous or single accounting mode. In single mode, the security appliance sends accounting data to only one server. In simultaneous mode, the security appliance sends accounting data to all servers in the group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

Reactivation Mode—Specifies the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time.

Dead Time—Specifies, for depletion mode, the number of minutes (0 through 1440) that must elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default value is 10 minutes. This field is not available for timed mode.

Max Failed Attempts— Specifies the number (an integer in the range 1 through 5) of failed connection attempts allowed before declaring a nonresponsive server inactive. The default value is 3 attempts.

Add/Edit Internal Group Policy > General Tab

The Add or Edit Group Policy window, General tab, lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy.

Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy. This is the default value for all of the attributes on this tab.

Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only the selected protocols. The choices are as follows:

IPSec—IP Security Protocol. Regarded as the most secure protocol, IPSec provides the most complete architecture for VPN tunnels. Both LAN-to-LAN (peer-to-peer) connections and client-to-LAN connections can use IPSec.

WebVPN—VPN via SSL/TLS. Uses a web browser to establish a secure remote-access tunnel to a security appliance; requires neither a software nor hardware client. WebVPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.

L2TP over IPSec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPSec transport mode.


Note If no protocol is selected, an error message appears.


Filter—Specifies the filter to use, or whether to inherit the value from the group policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. To configure filters and rules, see the Configuration > Features > VPN > VPN General > Group Policy window.

Manage—Displays the ACL Manager window, with which you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the ACL Manager, see the online Help for that window.

Connection Settings—Specifies the connection settings parameters.

Access Hours—If the Inherit check box is not selected, you can select the name of an existing access hours policy, if any, applied to this user or create a new access hours policy. The default value is Inherit, or, if the Inherit check box is not selected, the default value is --Unrestricted--.

Manage—Opens the Browse Time Range dialog box, on which you can add, edit, or delete a time range.

Simultaneous Logins—If the Inherit check box is not selected, this parameter specifies the maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum value is 0, which disables login and prevents user access.


Note While there is no maximum limit, allowing several simultaneous connections might compromise security and affect performance.


Maximum Connect Time—If the Inherit check box is not selected, this parameter specifies the maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 35791394 minutes (over 4000 years). To allow unlimited connection time, select Unlimited (the default).

Idle Timeout—If the Inherit check box is not selected, this parameter specifies this user's idle timeout period in minutes. If there is no communication activity on the user's connection in this period, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080 minutes. The default is 30 minutes. To allow unlimited connection time, select Unlimited.

Servers—Configures DNS and WINS servers, and DHCP Scope.

DNS Servers—Specifies the DNS servers to use. If you deselect Inherit, you can specify the primary and secondary DNS servers in their respective boxes.

WINS Servers—Specifies the WINS servers to use. If you deselect Inherit, you can specify the primary and secondary WINS servers in their respective boxes.

DHCP Scope—Specifies the DHCP scope; that is, the range of IP addresses the security appliance DHCP server should use to assign addresses to users of this group policy. If you deselect Inherit, you can enter the scope in the box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse Time Range

Use the Browse Time Range dialog box to add, edit, or delete a time range. A time range is a reusable component that defines starting and ending times that can be applied to a group policy. After defining a time range, you can select the time range and apply it to different options that require scheduling. For example, you can attach an access list to a time range to restrict access to the security appliance. A time range consists of a start time, an end time, and optional recurring (that is, periodic) entries. For more information about time ranges, see the online Help for the Add or Edit Time Range dialog box.

Fields

Add—Opens the Add Time Range dialog box, on which you can create a new time range.


Note Creating a time range does not restrict access to the device.


Edit—Opens the Edit Time Range dialog box, on which you can modify an existing time range. This button is active only when you have selected an existing time range from the Browse Time Range table.

Delete—Removes a selected time range from the Browse Time Range table. There is no confirmation or undo of this action.

Name—Specifies the name of the time range.

Start Time—Specifies when the time range begins.

End Time—Specifies when the time range ends.

Recurring Entries—Specifies further constraints of active time of the range within the start and stop time specified.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Time Range

The Add or Edit Time Range dialog box lets you configure a new time range.

Fields

Time Range Name—Specifies the name that you want to assign to this time range.

Start Time—Defines the time when you want the time range to start.

Start now—Specifies that the time range starts immediately.

Start at—Selects the month, day, year, hour, and minute at which you want the time range to start.

End Time—Defines the time when you want the time range to end.

Never end—Specifies that the time range has no defined end point.

End at (inclusive)—Selects the month, day, year, hour, and minute at which you want the time range to end.

Recurring Time Ranges—Constrains the active time of this time range within the start and end times when the time range is active. For example, if the start time is start now and the end time is never end, and you want the time range to be effective every weekday, Monday through Friday, from 8:00 AM to 5:00 PM, you could configure a recurring time range, specifying that it is to be active weekdays from 08:00 through 17:00, inclusive.

Add—Opens the Add Recurring Time Range dialog box, on which you can configure a recurring time range.

Edit—Opens the Edit Recurring Time Range dialog box, on which you can modify a selected recurring time range.

Delete—Removes a selected recurring time range.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Recurring Time Range

The Add or Edit Recurring Time Range dialog box lets you configure or modify a recurring time range.

Fields

Specify days of the week and times on which this recurring range will be active—Makes available the options in the Days of the week area. For example, use this option when you want the time range to be active only every Monday through Thursday, from 08:00 through 16:59.

Days of the week—Select the days that you want to include in this recurring time range. Possible options are: Every day, Weekdays, Weekends, and On these days of the week. For the last of these, you can select a check box for each day that you want included in the range.

Daily Start Time—Specifies the hour and minute, in 24-hour format, when you want the recurring time range to be active on each selected day.

Daily End Time (inclusive)—Specifies the hour and minute, in 24-hour format, when you want the recurring time range to end on each selected day.

Specify a weekly interval when this recurring range will be active—Makes available the options in the Weekly Interval area. The range extends inclusively through the end time. All times in this area are in 24-hour format. For example, use this option when you want the time range to be active continuously from Monday at 8:00 AM through Friday at 4:30 PM.

From—Selects the day, hour, and minute when you want the weekly time range to start.

Through—Selects the day, hour, and minute when you want the weekly time range to end.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


ACL Manager

The ACL Manager dialog box lets you define access control lists (ACLs) to control the access of a specific host or network to another host/network, including the protocol or port that can be used.

You can configure ACLs (Access Control Lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.

If you do not define any filters, all connections are permitted.

The security appliance supports only an inbound ACL on an interface.

At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry (ACE), the security appliance denies it. ACEs are referred to as rules in this topic.

Standard ACL Tab

This pane provides summary information about standard ACLs, and lets you add or edit ACLs and ACEs.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Edit—Opens the Edit ACE dialog box, on which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, on which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Address—Displays the IP address or URL of the application or service to which the ACE applies.

Action—Specifies whether this filter permits or denies traffic flow.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Extended ACL Tab

This pane provides summary information about extended ACLs, and lets you add or edit ACLs and ACEs.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Edit—Opens the Edit ACE dialog box, on which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, on which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Enabled—Enables or disables a rule. Implicit rules cannot be disabled.

Source—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Destination column. In detail mode (see the Show Detail radio button), an address column might contain an interface name with the word any, such as inside: any. This means that any host on the inside interface is affected by the rule.

Destination—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Source column. An address column might contain an interface name with the word any, such as outside: any. This means that any host on the outside interface is affected by the rule. An address column might also contain IP addresses; for example 209.165.201.1-209.165.201.30. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address.

Service—Names the service and protocol specified by the rule.

Action—Specifies whether this filter permits or denies traffic flow.

Logging —Shows the logging level and the interval in seconds between log messages (if you enable logging for the ACL). To set logging options, including enabling and disabling logging, right-click this column, and choose Edit Log Option. The Log Options window appears.

Time—Specifies the name of the time range to be applied in this rule.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit/Paste ACE

The Add/Edit/Paste ACE dialog box lets you create a new extended access list rule, or modify an existing rule. The Paste option becomes available only when you cut or copy a rule.

Fields

Action—Determines the action type of the new rule. Select either permit or deny.

Permit—Permits all matching traffic.

Deny—Denies all matching traffic.

Source/Destination—Specifies the source or destination type and, depending on that type, the other relevant parameters describing the source or destination host/network IP Address. Possible values are: any, IP address, Network Object Group, and Interface IP. The availability of subsequent fields depends upon the value of the Type field:

any—Specifies that the source or destination host/network can be any type. For this value of the Type field, there are no additional fields in the Source or Destination area.

IP Address—Specifies the source or destination host or network IP address. With this selection, the IP Address, ellipsis button, and Netmask fields become available. Select an IP address or host name from the drop-down list in the IP Address field or click the ellipsis (...) button to browse for an IP address or name. Select a network mask from the drop-down list.

Network Object Group—Specifies the name of the network object group. Select a name from the drop-down list or click the ellipsis (...) button to browse for a network object group name.

Interface IP—Specifies the interface on which the host or network resides. Select an interface from the drop-down list. The default values are inside and outside. There is no browse function.

Protocol and Service—Specifies the protocol and service to which this ACE filter applies. Service groups let you identify multiple non-contiguous port numbers that you want the ACL to match. For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that includes all these ports. Without service groups, you would have to create a separate rule for each port.

You can create service groups for TCP, UDP, TCP-UDP, ICMP, and other protocols. A service group with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or UDP protocol.

Protocol—Selects the protocol to which this rule applies. Possible values are ip, tcp, udp, icmp, and other. The remaining available fields in the Protocol and Service area depend upon the protocol you select. The next few bullets describe the consequences of each of these selections:

Protocol: TCP and UDP—Selects the TCP/UDP protocol for the rule. The Source Port and Destination Port areas allow you to specify the ports that the ACL uses to match packets.

Source Port/Destination Port—(Available only for TCP and UDP protocols) Specifies an operator and a port number, a range of ports, or a well-known service name from a list of services, such as HTTP or FTP. The operator list specifies how the ACL matches the port. Choose one of the following operators: = (equals the port number), not = (does not equal the port number), > (greater than the port number), < (less than the port number), range (equal to one of the port numbers in the range).

Group—(Available only for TCP and UDP protocols) Selects a source port service group. The Browse (...) button opens the Browse Source Port or Browse Destination Port dialog box.

Protocol: ICMP—Lets you select an ICMP type or ICMP group from a preconfigured list or browse (...) for an ICMP group. The Browse button opens the Browse ICMP dialog box.

Protocol: IP—Specifies the IP protocol for the rule in the IP protocol box. No other fields are available when you make this selection.

Protocol: Other—Lets you select a protocol from a drop-down list, select a protocol group from a drop-down list, or browse for a protocol group. The Browse (...) button opens the Browse Other dialog box.

Rule Flow Diagram—(Display only) Provides a graphical representation of the configured rule flow. This same diagram appears on the ACL Manager dialog box unless you explicitly close that display.

Options—Sets optional features for this rule, including logging parameters, time ranges, and description.

Logging—Enables or disables logging or specifies the use of the default logging settings. If logging is enabled, the Syslog Level and Log Interval fields become available.

Syslog Level—Selects the level of logging activity. The default is Informational.

Log Interval—Specifies the interval for permit and deny logging. The default is 300 seconds. The range is 1 through 6000 seconds.

Time Range—Selects the name of the time range to use with this rule. The default is (any). Click the Browse (...) button to open the Browse Time Range dialog box to select or add a time range.

Description—(Optional) Provides a brief description of this rule. A description line can be up to 100 characters long, but you can break a description into multiple lines.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse Source/Destination Address

The Browse Source or Destination Address dialog box lets you select an object to use a s a source or destination for this rule.

Fields

Type—Determines the type of object to use as the source or destination for this rule. Selections are Network Objects, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Source/Destination Object Table—Displays the objects from which you can select a source or destination object. If you select All in the type field, each category of object appears under its own heading. The table has the following headings:

Name—Displays the network name (which may be an IP address) for each object.

IP address—Displays the IP address of each object.

Netmask—Displays the network mask to use with each object.

Description—Displays the description entered in the Add/Edit/Paste Extended Access List Rule dialog box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse Source/Destination Port

The Browse Source or Destination Port dialog box lets you select a source or destination port for this protocol in this rule.

Fields

Add—Opens the Add TCP Service Group dialog box, on which you can configure a new TCP service group.

Find—Opens the Filter field.

Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

Type—Determines the type of object to use as the source or destination for this rule. Selections are Network Objects, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Name—Lists the predefined protocols and service groups for your selection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add TCP Service Group

The Add TCP Service Group dialog box lets you configure a new a TCP service group or port to add to the browsable source or destination port list for this protocol in this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.

Fields

Group Name—Specifies the name of the new TCP service group.

Description—(Optional) Provides a brief description of this group.

Members not in Group—Presents the option to select either a service/service group or a port number to add to the Members in Group list.

Service/Service Group—Selects the option to select the name of a TCP service or service group to add to the Members in Group list.

Port #—Selects the option to specify a range of port numbers to add to the Members in Group list.

Add—Moves a selected item from the Members not in Group list to the Members in Group list.

Remove—Moves a selected item from the Members in Group list to the Members not in Group list.

Members in Group—Lists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse ICMP

The Browse ICMP dialog box lets you select an ICMP group for this rule.

Fields

Add—Opens the Add ICMP Group dialog box, on which you can configure a new TCP service group.

Find—Opens the Filter field.

Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

Type—Determines the type of object to use as the ICMP group for this rule. Selections are Network Objects, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Name—Lists the predefined ICMP groups for your selection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add ICMP Group

The Add ICMP Group dialog box lets you configure a new a ICMP group by name or by number to add to the browsable ICMP list for this protocol in this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.

Fields

Group Name—Specifies the name of the new TCP service group.

Description—(Optional) Provides a brief description of this group.

Members not in Group—Presents the option to select either an ICMP type/ICMP group or an ICMP number to add to the Members in Group list.

ICMP Type/ICMP Group—Selects the option to select the name of an ICMP group to add to the Members in Group list.

ICMP #—Selects the option to specify an ICMP member by number to add to the Members in Group list.

Add—Moves a selected item from the Members not in Group list to the Members in Group list.

Remove—Moves a selected item from the Members in Group list to the Members not in Group list.

Members in Group—Lists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse Other

The Browse Other dialog box lets you select a protocol group for this rule.

Fields

Add—Opens the Add Protocol Group dialog box, on which you can configure a new service group.

Find—Opens the Filter field.

Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

Type—Determines the type of object to use as the protocol group for this rule. Selections are Network Objects, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Name—Lists the predefined protocol groups for your selection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add Protocol Group

The Add Protocol Group dialog box lets you configure a new a protocol group by name or by number to add to the browsable protocol list for this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.

Fields

Group Name—Specifies the name of the new TCP service group.

Description—(Optional) Provides a brief description of this group.

Members not in Group—Presents the option to select either a protocol/protocol group or a protocol number to add to the Members in Group list.

Protocol/Protocol Group—Selects the option to select the name of a protocol or protocol group to add to the Members in Group list.

Protocol #—Selects the option to specify a protocol by number to add to the Members in Group list.

Add—Moves a selected item from the Members not in Group list to the Members in Group list.

Remove—Moves a selected item from the Members in Group list to the Members not in Group list.

Members in Group—Lists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > IPSec Tab

The Add or Edit Group Policy window, IPSec tab, lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified.

Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy. This is the default option for all attributes on this tab.

Re-Authentication on IKE Re-key—Enables or disables reauthentication when IKE re-key occurs, unless the Inherit check box is selected.

IP Compression—Enables or disables IP Compression, unless the Inherit check box is selected.

Perfect Forward Secrecy—Enables or disables perfect forward secrecy (PFS), unless the Inherit check box is selected. PFS ensures that the key for a given IPSec SA was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If PFS were not enabled, someone could hypothetically break the IKE SA secret key, copy all the IPSec protected data, and then use knowledge of the IKE SA secret to compromise the IPSec SAs set up by this IKE SA. With PFS, breaking IKE would not give an attacker immediate access to IPSec. The attacker would have to break each IPSec SA individually.

Tunnel Group Lock—Enables locking the tunnel group you select from the list, unless the Inherit check box or the value None is selected.

Client Access Rules—Lets you configure up to 25 client access rules. If you deselect the Inherit check box, the Add, Edit, and Delete buttons become active and the following column headings appear in the table:

Priority—Shows the priority for this rule.

Action—Specifies whether this rule permits or denies access.

Client Type—Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset.

VPN Client Version—Specifies the version or versions of the VPN client to which this rule applies. This box contains a comma-separated list of software or firmware images appropriate for this client.

Add—Adds a new rule for an IPSec group policy. This button is active only if the Inherit check box is deselected.

Edit—Modifies an existing rule for an IPSec group policy. This button is active only if the Inherit check box is deselected.

Delete—Removes an existing rule for an IPSec group policy. This button is active only if the Inherit check box is deselected. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Client Access Rule

Spawned from the Add or Edit Group Policy windows, IPSec tab, the Add or Edit Client Access Rule window adds a new client access rule for an IPSec group policy or modifies an existing rule.

Fields

Priority—Shows the priority for this rule.

Action—Specifies whether this rule permits or denies access.

VPN Client Type—Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset. Some common values for VPN Client Type include VPN 3002, PIX, Linux, * (matches all client types), Win9x (matches Windows 95, Windows 98, and Windows ME), and WinNT (matches Windows NT, Windows 2000, and Windows XP). If you choose *, do not configure individual Windows types such as Windows NT.

VPN Client Version—Specifies the version or versions of the VPN client to which this rule applies. This box contains a comma-separated list of software or firmware images appropriate for this client. The following caveats apply:

You must specify the software version for this client. You can specify * to match any version.

Your entries must match exactly those on the URL for the VPN client, or the TFTP server for the VPN 3002.

The TFTP server for distributing the hardware client image must be a robust TFTP server.

If the client is already running a software version on the list, it does not need a software update. If the client is not running a software version on the list, an update is in order.

A VPN client user must download an appropriate software version from the listed URL.

The VPN 3002 hardware client software is automatically updated via TFTP.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Client Configuration Tab

The Add or Edit Group Policy window, Client Configuration tab contains three tabs that let you configure general client parameters, Cisco client parameters, and Microsoft client parameters.

For information about the individual tabs, see the following links:

Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab

Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab

Add/Edit Internal Group Policy > Client Configuration Tab > Microsoft Client Parameters Tab

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab

This tab configures client attributes that are common across both Cisco and Microsoft clients, including the banner text, default domain, split tunnel parameters, and address pools.


Note The AnyConnect VPN Client and the SSL VPN Client do not support split DNS.


Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy. Deselecting the Inherit check box makes other options available for the parameter. This is the default option for all attributes on this tab.

Banner—Specifies whether to inherit the banner from the default group policy or enter new banner text. For more information, see View/Config Banner

Edit Banner—Displays the View/Config Banner dialog box, in which you can enter banner text, up to 500 characters.

Default Domain—Specifies whether to inherit the default domain from the default group policy or use a new default domain specified in the field.

Split Tunnel DNS Names (space delimited)—Specifies whether to inherit the split-tunnel DNS names or from the default group policy or specify a new name or list of names in the field.

Split Tunnel Policy—Specifies whether to inherit the split-tunnel policy from the default group policy or select a policy from the menu. The menu options are to tunnel all networks, tunnel those in the network list below, or exclude those in the network list below.

Split Tunnel Network List—Specifies whether to inherit the split-tunnel network list from the default group policy or select from the drop-down list.

Manage—Opens the ACL Manager dialog box, on which you can manage standard and extended access control lists.

Address Pools—Configures the address pools available through this group policy.

Available Pools—Specifies a list of address pools for allocating addresses to remote clients. Deselecting the Inherit check box with no address pools in the Assigned Pools list indicates that no address pools are configured and disables inheritance from other sources of group policy.

Add—Moves the name of an address pool from the Available Pools list to the Assigned Pools list.

Remove—Moves the name of an address pool from the Assigned Pools list to the Available Pools list.

Assigned Pools (up to 6 entries)—Lists the address pools you have added to the assigned pools list. The address-pools settings in this table override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation. The order in which you specify the pools is significant. The security appliance allocates addresses from these pools in the order in which the pools appear in this command.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


View/Config Banner

The View/Config Banner dialog box lets you enter into the text box up to 500 characters of text to be displayed as a banner for the specified client.


Note A carriage return/line feed, created by pressing Enter, counts as 2 characters.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab

This tab configures client attributes that are specific to Cisco clients, including password storage, enabling or disabling IPSec over UDP and setting the UDP port number, and configuring IPSec backup servers.

Fields

Store Password on Client System—Enables or disables storing the password on the client system.


Note Storing the password on a client system can constitute a potential security risk.


IPSec over UDP—Enables or disables using IPSec over UDP.

IPSec over UDP Port—Specifies the UDP port to use for IPSec over UDP.

IPSec Backup Servers—Activates the Server Configuration and Server IP Addresses fields, so you can specify the UDP backup servers to use if these values are not inherited.

Server Configuration—Lists the server configuration options to use as an IPSec backup server. The available options are: Keep Client Configuration (the default), Use the Backup Servers Below, and Clear Client Configuration.

Server Addresses (space delimited)—Specifies the IP addresses of the IPSec backup servers. This field is available only when the value of the Server Configuration selection is Use the Backup Servers Below.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Client Configuration Tab > Microsoft Client Parameters Tab

This tab configures client attributes that are specific to Microsoft clients, specifically, proxy server parameters for Microsoft Internet Explorer.

Fields

Proxy Server Policy—Configures the Microsoft Internet Explorer browser proxy actions ("methods") for a client PC.

Do not modify client proxy settings—Leaves the HTTP browser proxy server setting in Internet Explorer unchanged for this client PC.

Do not use proxy—Disables the HTTP proxy setting in Internet Explorer for the client PC.

Auto-detect proxy—Enables the use of automatic proxy server detection in Internet Explorer for the client PC.

Use proxy server settings specified below—Sets the HTTP proxy server setting in Internet Explorer to use the value configured in the Proxy Server Name or IP Address field.

Proxy Server Settings—Configures the proxy server parameters for Microsoft clients using Microsoft Internet Explorer.

Proxy Server Name or IP Address—Specifies the IP address or name of an Microsoft Internet Explorer server that is applied for this client PC.


Note ASDM lets you configure the proxy server name or IP address. To configure the optional port to use, as well as the server, you must use the msie-proxy server command in group-policy configuration mode.


Bypass Proxy Server for Local Addresses— Configures Microsoft Internet Explorer browser proxy local-bypass settings for a client PC. Select Yes to enable local bypass or No to disable local bypass.

Proxy Server Exception List—Configures Microsoft Internet Explorer browser proxy exception list settings for a local bypass on the client PC. Enter the list of addresses that you do not want to have accessed through a proxy server. This list corresponds to the Exceptions box in the Proxy Settings dialog box in Internet Explorer.

Name or IP Address (use * as a wildcard)—Specifies the IP address or name of an MSIE server that is applied for this client PC.

Add—Add the specified name or IP address to the Proxy Server Exceptions list.

Delete—Remove the specified name or IP address from the Proxy server Exceptions list.

Proxy Server Exceptions—Lists the server names and IP addresses that you want to exclude from proxy server access. This list corresponds to the Exceptions box in the Proxy Settings dialog box in Internet Explorer.

DHCP Intercept—Enables or disables DHCP Intercept. DHCP Intercept lets Microsoft XP clients use split-tunneling with the security appliance. The security appliance replies directly to the Microsoft Windows XP client DHCP Inform message, providing that client with the subnet mask, domain name, and classless static routes for the tunnel IP address. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask. This is useful in environments in which using a DHCP server is not advantageous.


Note A Microsoft XP anomaly results in the corruption of domain names if split tunnel options exceed 255 bytes. To avoid this problem, the security appliance limits the number of routes it sends to 27 to 40 routes, with the number of routes dependent on the classes of the routes.


Intercept DHCP Configure Message—Specifies whether to inherit the DHCP intercept policy from the group policy or to enable (Yes) or disable (No) DHCP policy.

Subnet Mask (optional)—Selects the subnet mask from the drop-down list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Standard Access List Rule

The Add/Edit Standard Access List Rule dialog box lets you create a new rule, or modify an existing rule.

Fields

Action—Determines the action type of the new rule. Select either permit or deny.

Permit—Permits all matching traffic.

Deny—Denies all matching traffic.

Host/Network IP Address—Identifies the networks by IP address.

IP address—The IP address of the host or network.

Mask—The subnet mask of the host or network

Description—(Optional) Enter a description of the access rule.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Client Firewall Tab

The Add or Edit Group Policy window, Client Firewall tab, lets you configure firewall settings for VPN clients for the group policy being added or modified.


Note Only VPN clients running Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients.


A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC, and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN. Remote users connecting to the security appliance with the VPN client can choose the appropriate firewall option.

In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the security appliance. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic "are you there?" messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the security appliance.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the security appliance, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which enforces it.

Fields

Inherit—Determines whether the group policy obtains its client firewall setting from the default group policy. This option is the default setting. When set, it overrides the remaining attributes in this tab and dims their names.

Client Firewall Attributes—Specifies the client firewall attributes, including what type of firewall (if any) is implemented and the firewall policy for that firewall.

Firewall Setting—Lists whether a firewall exists, and if so, whether it is required or optional. If you select No Firewall (the default), none of the remaining fields on this window are active. If you want users in this group to be firewall-protected, select either the Firewall Required or Firewall Optional setting.

If you select Firewall Required, all users in this group must use the designated firewall. The security appliance drops any session that attempts to connect without the designated, supported firewall installed and running. In this case, the security appliance notifies the VPN client that its firewall configuration does not match.


Note If you require a firewall for a group, make sure the group does not include any clients other than Windows VPN clients. Any other clients in the group (including ASA 5505 in client mode and VPN 3002 hardware clients) are unable to connect.


If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.

Firewall Type—Lists firewalls from several vendors, including Cisco. If you select Custom Firewall, the fields under Custom Firewall become active. The firewall you designate must correlate with the firewall policies available. The specific firewall you configure determines which firewall policy options are supported.

Custom Firewall—Specifies the vendor ID, Product ID and description for the custom firewall.

Vendor ID—Specifies the vendor of the custom firewall for this group policy.

Product ID—Specifies the product or model name of the custom firewall being configured for this group policy.

Description—(Optional) Describes the custom firewall.

Firewall Policy—Specifies the type and source for the custom firewall policy.

Policy defined by remote firewall (AYT)—Specifies that the firewall policy is defined by the remote firewall (Are You There). Policy defined by remote firewall (AYT) means that remote users in this group have firewalls located on their PCs. The local firewall enforces the firewall policy on the VPN client. The security appliance allows VPN clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails. Once the connection is established, the VPN client polls the firewall every 30 seconds to make sure that it is still running. If the firewall stops running, the VPN client ends the session.

Policy pushed (CPP)—Specifies that the policy is pushed from the peer. If you select this option, the Inbound Traffic Policy and Outbound Traffic Policy lists and the Manage button become active.The security appliance enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this security appliance, including the default filters. Keep in mind that the security appliance pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the security appliance. For example, "in" and "out" refer to traffic coming into the VPN client or going outbound from the VPN client. If the VPN client also has a local firewall, the policy pushed from the security appliance works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped.

Inbound Traffic Policy—Lists the available push policies for inbound traffic.

Outbound Traffic Policy—Lists the available push policies for outbound traffic.

Manage—Displays the ACL Manager window, on which you can configure Access Control Lists (ACLs).

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Hardware Client Tab

The Add or Edit Group Policy window, Hardware Client tab, lets you configure settings for the VPN 3002 hardware client for the group policy being added or modified. The Hardware Client tab parameters do not pertain to the ASA 5505 in client mode.

Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for all attributes in this tab.

Require Interactive Client Authentication—Enables or disables the requirement for interactive client authentication. This parameter is disabled by default. Interactive hardware client authentication provides additional security by requiring the VPN 3002 to authenticate with a username and password that you enter manually each time the VPN 3002 initiates a tunnel. With this feature enabled, the VPN 3002 does not have a saved username and password. When you enter the username and password, the VPN 3002 sends these credentials to the security appliance to which it connects. The security appliance facilitates authentication, on either the internal or an external authentication server. If the username and password are valid, the tunnel is established.

When you enable interactive hardware client authentication for a group, the security appliance pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password.

If, on the security appliance, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002s, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the security appliance has disabled interactive hardware client authentication. If you subsequently configure a username and password, the feature is disabled, and the prompt no longer appears. The VPN 3002 connects to the security appliance using the saved username and password.

Require Individual User Authentication—Enables or disables the requirement for individual user authentication for users behind ASA 5505 in client mode or the VPN 3002 hardware client in the group. To display a banner to hardware clients in a group, individual user authentication must be enabled. This parameter is disabled by default.

Individual user authentication protects the central site from access by unauthorized persons on the private network of the hardware client. When you enable individual user authentication, each user that connects through a hardware client must open a web browser and manually enter a valid username and password to access the network behind the security appliance, even though the tunnel already exists.


Note You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser.


If you have a default home page on the remote network behind the security appliance, or if you direct the browser to a website on the remote network behind the security appliance, the hardware client directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered.

If you try to access resources on the network behind the security appliance that are not web-based, for example, e-mail, the connection fails until you authenticate using a browser.

To authenticate, you must enter the IP address for the private interface of the hardware client in the browser Location or Address field. The browser then displays the login screen for the hardware client. To authenticate, click the Connect/Login Status button.

One user can log in for a maximum of four sessions simultaneously. Individual users authenticate according to the order of authentication servers configured for a group.

User Authentication Idle Timeout—Configures a user timeout period. The security appliance terminates the connection if it does not receive user traffic during this period. You can specify that the timeout period is a specific number of minutes or unlimited.

Unlimited—Specifies that the connection never times out. This option prevents inheriting a value from a default or specified group policy.

Minutes—Specifies the timeout period in minutes. Use an integer between 1 and 35791394. The default value is Unlimited.

Cisco IP Phone Bypass—Lets Cisco IP phones bypass the interactive individual user authentication processes. If enabled, interactive hardware client authentication remains in effect. Cisco IP Phone Bypass is disabled by default.


Note You must configure the ASA 5505 in client mode or the VPN 3002 hardware client to use network extension mode for IP phone connections.


LEAP Bypass—Lets LEAP packets from Cisco wireless devices bypass the individual user authentication processes (if enabled). LEAP Bypass lets LEAP packets from devices behind a hardware client travel across a VPN tunnel prior to individual user authentication. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per individual user authentication (if enabled). LEAP Bypass is disabled by default.


Note This feature does not work as intended if you enable interactive hardware client authentication.


IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per-session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys.

Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.


Note Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services.


LEAP users behind a hardware client have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication.

LEAP Bypass works as intended under the following conditions:

The interactive unit authentication feature (intended for wired devices) must be disabled. If interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the hardware client before LEAP devices can connect using that tunnel.

Individual user authentication is enabled (if it is not, you do not need LEAP Bypass).

Access points in the wireless environment must be Cisco Aironet Access Points. The wireless NIC cards for PCs can be other brands.

The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP).

The ASA 5505 or VPN 3002 can operate in either client mode or network extension mode.

LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.


Note Allowing any unauthenticated traffic to traverse the tunnel might pose a security risk.


Allow Network Extension Mode—Restricts the use of network extension mode on the hardware client. Select the option to let hardware clients use network extension mode. Network extension mode is required for the hardware client to support IP phone connections, because the Call Manager can communicate only with actual IP addresses.


Note If you disable network extension mode, the default setting, the hardware client can connect to this security appliance in PAT mode only. If you disallow network extension mode here, be careful to configure all hardware clients in a group for PAT mode. If a hardware client is configured to use network extension mode and the security appliance to which it connects disables network extension mode, the hardware client attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the hardware client puts an unnecessary processing load on the security appliance to which it connects; large numbers of hardware clients that are misconfigured in this way reduces the ability of the security appliance to provide service.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > NAC Tab

Configuration > VPN > General > Group Policy > Add/Edit Internal Group Policy > NAC Tab

The Add or Edit Internal Group Policy window, NAC tab, lets you configure Network Admission Control settings for the default group policy or an alternative group policy.

Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for all attributes in this tab.

Enable NAC—Requires posture validation for remote access. If the remote computer passes the validation checks, the ACS server downloads the access policy for the security appliance to enforce. The default setting is Disable.

Status Query Timer—The security appliance starts this timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query. Enter the number of seconds in the range 30 to 1800. The default setting is 300.

Revalidation Timer—The security appliance starts this timer after each successful posture validation. The expiration of this timer triggers the next unconditional posture validation. The security appliance maintains posture validation during revalidation. The default group policy becomes effective if the Access Control Server is unavailable during posture validation or revalidation. Enter the interval in seconds between each successful posture validation. The range is 300 to 86400. The default setting is 36000.

Default ACL— (Optional) The security appliance applies the security policy associated with the selected ACL if posture validation fails. Select None or select an extended ACL in the list. The default setting is None. If the setting is None and posture validation fails, the security appliance applies the default group policy.

Use the Manage button to populate the drop-down list and view the configuration of the ACLs in the list.

Manage— Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs.

Posture Validation Exception List—Displays one or more attributes that exempt remote computers from posture validation. At minimum, each entry lists the operating system and an Enabled setting of Yes or No. An optional filter identifies an ACL used to match additional attributes of the remote computer. An entry that consists of an operating system and a filter requires the remote computer to match both to be exempt from posture validation. The security appliance ignores the entry if the Enabled setting is set to No.

Add—Adds an entry to the Posture Validation Exception list.

Edit—Modifies an entry in the Posture Validation Exception list.

Delete—Removes an entry from the Posture Validation Exception list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Posture Validation Exception

Configuration > VPN > General > Group Policy > Add/Edit Internal Group Policy > NAC tab > Add/Edit

The Add/Edit Posture Validation Exception dialog window lets you exempt remote computers from posture validation, based on their operating system and other optional attributes that match a filter.

Operating System—Choose the operating system of the remote computer. If the computer is running this operating system, it is exempt from posture validation. The default setting is blank.

Enable—The security appliance checks the remote computer for the attribute settings displayed in this window only if you check Enabled. Otherwise, it ignores the attribute settings. The default setting is unchecked.

Filter— (Optional) Use to apply an ACL to filter the traffic if the operating system of the computer matches the value of the Operating System attribute.

Manage— Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs. Use this button to populate the list next to the Filter attribute.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


WebVPN Tab > Functions Tab

The WebVPN tab > Functions tab lets you configure the features available to WebVPN users. The interface visible to these WebVPN users varies depending on the values you set here. Users see a customized home page that includes only those features that you enable.

Inherit —Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow.

Enable URL entry—Places the URL entry box on the home page. If this feature is enabled, users can enter web addresses in the URL entry box, and use WebVPN to access those websites.

Using WebVPN does not ensure that communication with every site is secure. WebVPN ensures the security of data transmission between the remote user's PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured.

In a WebVPN connection, the security appliance acts as a proxy between the end user's web browser and target web servers. When a WebVPN user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server's SSL certificate. The end user's browser never receives the presented certificate, so therefore cannot examine and validate the certificate. The current implementation of WebVPN does not permit communication with sites that present expired certificates. Neither does the security appliance perform trusted CA certificate validation. Therefore, WebVPN users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

To limit Internet access for WebVPN users, deselect the Enable URL Entry field. This prevents WebVPN users from surfing the Web during a WebVPN connection.

Enable file server access—Enables Windows file access (SMB/CIFS files only) through HTTPS. When this box is checked, users can access Windows files on the network. If you enable only this parameter for WebVPN file sharing, users can access only servers that you configure in the Servers and URLs area. To let users access servers directly or to browse servers on the network, see the Enable file server entry and Enable file server browsing attribute descriptions.

With this box checked, users can download, edit, delete, rename, and move files. They can also add files and folders.

Shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.

File access, server/domain access, and browsing require that you configure a WINS server or a master browser, typically on the same network as the security appliance, or reachable from that network. The WINS server or master browser provides the security appliance with an list of the resources on the network. You cannot use a DNS server instead.


Note File access is not supported in an Active Native Directory environment when used with Dynamic DNS. It is supported if used with a WINS server.


Enable file server entry—Places the file server entry box on the portal page. File server access must be enabled.

With this box checked, users can enter pathnames to Windows files directly. They can download, edit, delete, rename, and move files. They can also add files and folders. Again, shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.

Enable file server browsing—Lets users browse the Windows network for domains/workgroups, servers and shares. File server access must be enabled.

With this box checked, users can select domains and workgroups, and can browse servers and shares within those domains. Shares must also be configured for user access on the applicable Windows servers. Users may need to be authenticated before accessing servers, according to network requirements.

Enable auto applet download—Lets users automatically download and start the port forwarding java applet upon WebVPN login. Disabled by default, you can enable this feature only if port forwarding, Outlook/Exchange proxy, or HTTP proxy is also enabled. You can also enable auto applet download in the default group policy (DfltGrpPolicy) or in user-defined group policies.

Enable port forwarding—WebVPN Port Forwarding provides access for remote users in the group to client/server applications that communicate over known, fixed TCP/IP ports. Remote users can use client applications that are installed on their local PC and securely access a remote server that supports that application. Cisco has tested the following applications: Windows Terminal Services, Telnet, Secure FTP (FTP over SSH), Perforce, Outlook Express, and Lotus Notes. Other TCP-based applications may also work, but Cisco has not tested them.


Note Port Forwarding does not work with some SSL/TLS versions.


With this box checked users can access client/server applications by mapping TCP ports on the local and remote systems.


Caution Make sure Sun Microsystems Java™ Runtime Environment (JRE) 1.5.x is installed on the remote computers to support port forwarding (application access) and digital certificates. If JRE 1.4.x is running and the user authenticates with a digital certificate, the application fails to start because JRE cannot access the web browser's certificate store.

Enable Outlook/Exchange proxy—Enables the use of the Outlook/Exchange e-mail proxy.

Apply Web-type ACL—Applies the WebVPN access control list defined for the users of this group.

Enable HTTP Proxy—Enables the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser's old proxy configuration automatically and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft Internet Explorer.

Enable Citrix MetaFrame—Enables support for terminal services from a MetaFrame Application Server to the client. This attribute lets the security appliance act as a secure gateway within a secure Citrix configuration. These services provide users with access to MetaFrame applications through a standard Web browser.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Group Policy > WebVPN Tab > Content Filtering Tab

The Add or Edit Group Policy window, WebVPN tab, Content Filtering tab, lets you configure the security appliance to block or remove the parts of websites that use Java or Active X, scripts, display images, and deliver cookies. By default, these parameters are disabled, which means that no filtering occurs.

Fields

Inherit—Determines whether this group policy inherits its content filtering values from the default group policy. This option is the default setting. When this attribute is checked, the remaining attributes are dim, indicating that you cannot set them.

Filter Java/ActiveX—Removes <applet>, <embed> and <object> tags from HTML.

Filter scripts—Removes <script> tags from HTML.

Filter images—Removes <img> tags from HTML. Removing images dramatically speeds the delivery of web pages.

Filter cookies from images—Removes cookies that are delivered with images. This may preserve user privacy, because advertisers use cookies to track visitors.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Group Policy > WebVPN Tab > Homepage Tab

The Add or Edit Group Policy window, WebVPN tab, Homepage tab, lets you configure what, if any, home page to use and specify any customizations (such as color, logo, and so on) that you want to apply to it. It does not define the home page customization.

Fields

Inherit—Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for both the Webpage Customization and Custom Homepage attributes.

Webpage Customization—Specifies whether to inherit the webpage customizations from the default group policy, to apply an existing customization (selected from a list), or to create a new customization.

New—Opens the Add Customization Object dialog box, on which you can create and configure a new customization to apply to the GUI pages that the user sees.

Custom Homepage—Specifies whether to inherit the home page from the default group policy, use an existing URL as the home page, or use no home page.

Specify URL—Indicates that the subsequent fields specify the protocol, either http or https, and the URL of the Web page to use as the home page, as follows:

Protocol—Indicates whether to use http or https as the connection protocol for the home page.

:// field—Specifies the URL of the Web page to use as the home page.

Use none—Specifies that no home page is configured.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Group Policy > WebVPN Tab > Port Forwarding Tab

The Add or Edit Group Policy window, WebVPN tab, Port Forwarding tab, lets you configure port forwarding parameters.

Fields

Inherit—(Multiple instances) If checked, this option specifies that the default group policy sets the value of the associated attribute. This option is the default setting for both the Port Forwarding List and Applet Name attributes.

Port Forwarding List—Specifies whether to inherit the port forwarding list from the default group policy, select one from the list, or create a new port forwarding list.

New—Opens the Add Port Forwarding List window, on which you can add a new port forwarding list. See the description of the Add Port Forwarding List window.

Applet Name—Specifies whether to inherit the applet name or to use the name specified in the field. Specify this name to identify port forwarding to end users. The name you configure appears in the end user interface as a hotlink. When users click this link, a Java applet opens a window that displays a table that lists and provides access to port forwarding applications that you configure for these users. The default applet name is Application Access.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Port Forwarding List

The Add Port Forwarding List dialog box lets you specify the name of a port forwarding list and displays a list of configured port forwarding entries.

Fields

List Name—Assigns a name to the port forwarding list you want to add.

Local TCP Port—Lists the local TCP port for each entry in the port forwarding list.

Remote Server—Lists the remote server for each entry in the port forwarding list.

Remote TCP Port—Lists the remote TCP port for each entry in the port forwarding list.

Description—(Optional) Lists a description, up to 64 characters long, for each entry in the port forwarding list.

Add—Opens the Add Port Forwarding Entry dialog box, on which you can configure a new port forwarding entry.

Edit—Opens the Edit Port Forwarding Entry dialog box, on which you can modify an existing port forwarding entry.

Delete—Removes a selected port forwarding entry from the port forwarding list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Port Forwarding Entry

The Add or Edit Port Forwarding Entry dialog box lets you specify the name of a port forwarding list and displays a list of configured port forwarding entries.

Fields

Local TCP Port—Specifies the local TCP port for this port forwarding list entry.

Remote Server—Specifies the remote server for this port forwarding list entry.

Remote TCP Port—Specifies the remote TCP port for this port forwarding list entry.

Description—(Optional) Specifies a description, up to 64 characters, for this port forwarding list entry.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Group Policy > WebVPN Tab > Other Tab

The Add or Edit Group Policy window, WebVPN tab, Other tab, lets you configure servers and URL lists and the Web-type ACL ID.

Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow.

Servers and URL Lists—Specifies whether to inherit the list of Servers and URLs, to select an existing list, or to create a new list.

New—Displays a dialog box in which you can add a new server or URL to the list.

Web-Type ACL ID—Specifies whether to inherit the web-type ACL ID, select the identifier of an existing Web-Type ACL to use, or add or modify a web-type ACL.

Manage—Opens the ACL Manager dialog box on which you can manage web-type ACLs.

SSO Server—Specifies whether to inherit the single-sign-on server setting, to select an existing SSO server from the list, or to add a new SSO server.

New—Opens the Add SSO Server dialog box, on which you can configure a new server for the list.

HTTP Compression—Specifies whether to inherit the HTTP Compression setting from the default group, or explicitly to enable or disable HTTP compression.

Keepalive Ignore—Specifies whether to inherit the maximum transaction size from the default group or sets the upper limit of the HTTP/HTTPS traffic, per transaction, to ignore. The range is 0 through 900 KB.

Deny Message—Lets you inherit, specify, or remove the message to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges, as follows:

Check Inherit to inherit from the default group the message to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges.

Uncheck and erase the text in the field, to not send a message to remote users who log into WebVPN successfully, but have no VPN privileges.

Uncheck, and create or modify the message (up to 490 characters long) in the field, to be sent to remote users who log in to WebVPN successfully, but have no VPN privileges. The default message is as follows: "Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Server and URL List

The Add or Edit Server and URL List dialog box lets you add, edit, delete, and order the items in the designated URL list.

Fields

List Name—Specifies the name of the list to be added or selects the name of the list to be modified or deleted.

URL Display Name—Specifies the URL name displayed to the user.

URL—Specifies the actual URL associated with the display name.

Add—Opens the Add Server or URL dialog box, on which you can configure a new server or URL and display name.

Edit—Opens the Edit Server or URL dialog box, on which you can configure a new server or URL and display name.

Delete—Removes the selected item from the server and URL list. There is no confirmation or undo.

Move Up/Move Down—Changes the position of the selected item in the server and URL list.

Add/Edit Server or URL

The Add or Edit Server or URL dialog box lets you add or edit, delete, and order the items in the designated URL list.

Fields

URL Display Name—Specifies the URL name displayed to the user.

URL—Specifies the actual URL associated with the display name.

Add/Edit Group Policy > WebVPN Tab > SSL VPN Client Tab

The Add or Edit Group Policy window, WebVPN tab, SSL VPN Client tab, lets you configure the security appliance to download SSL VPN clients (SVCs) to remote computer.

SVC is a VPN tunneling technology that gives remote users the benefits of an IPSec VPN client without the need for network administrators to install and configure IPSec VPN clients on remote computers. The SVC uses the SSL encryption that is already present on the remote computer as well as the WebVPN login and authentication of the security appliance.

To establish an SVC session, the remote user enters the IP address of a WebVPN interface of the security appliance in the browser, and the browser connects to that interface and displays the WebVPN login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the SVC, the security appliance downloads the SVC to the remote computer. If the security appliance identifies the user as having the option to use the SVC, the security appliance downloads the SVC to the remote computer while presenting a link on the user screen to skip the SVC installation.

After downloading, the SVC installs and configures itself, and then the SVC either remains or uninstalls itself (depending on the configuration) from the remote computer when the connection terminates.

The security appliance might have several unique SVC images residing in cache memory for different remote computer operating systems. When the user attempts to connect, the security appliance can consecutively download portions of these images to the remote computer until the image and operating system match, at which point it downloads the entire SVC. You can order the SVC images to minimize connection setup time, with the first image downloaded representing the most commonly-encountered remote computer operating system.

Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for all attributes in this tab.

Use SSL VPN Client—Specifies whether to inherit the value of this attribute from the default group policy, or when to use the SSL VPN Client: always, optionally, or never.

Keep Installer on Client System—Enables (Yes) permanent SVC installation or disables (No) the automatic uninstalling feature of the SVC. The SVC remains installed on the remote computer for subsequent SVC connections, reducing the SVC connection time for the remote user.

Compression—Enables or disables compression on the SVC connection.

SVC compression increases the communications performance between the security appliance and the SVC by reducing the size of the packets being transferred.

Keepalive Messages—Adjusts the frequency of keepalive messages, in the range of 15 to 600 seconds.

You can adjust the frequency of keepalive messages to ensure that an SVC connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the frequency also ensures that the SVC does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.

Key Renegotiation Settings—When the security appliance and the SVC perform a rekey, they renegotiate the crypto keys and initialization vectors, increasing the security of the connection.

Renegotiation Interval—Specifies the number of minutes from the start of the session until the rekey takes place, from 1 through 10080 (1 week).

Renegotiation Method—Specifies whether and how SVC establishes a new tunnel during SVC rekey. If you check none, SVC rekey is disabled. If you check SSL, SSL renegotiation takes place during SVC rekey. If you select New tunnel, SVC establishes a new tunnel during SVC rekey. We recommend that you configure SSL as the rekey method.

Dead Peer Detection—Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the SVC can quickly detect a condition where the peer is not responding, and the connection has failed.

Gateway Side Detection—Enables DPD performed by the security appliance (gateway) and specifies the frequency, from 30 to 3600 seconds, with which the security appliance performs DPD. If you uncheck enable, DPD performed by the security appliance is disabled.

Client Side Detection—Enables DPD performed by the SVC (client), and specifies the frequency, from 30 to 3600 seconds, with which the SVC performs DPD. If you uncheck enable, DPD performed by the SVC is disabled.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Group Policy > WebVPN Tab > Auto Signon Tab

The Auto Signon window or tab lets you configure or edit auto signon for WebVPN users. Auto signon is a simplified single signon method that you can use if you do not already have an SSO method deployed on your internal network. With auto signon configured for particular internal servers, the security appliance passes the login credentials that the WebVPN user used to login to the security appliance (username and password) to those particular internal servers. You configure the security appliance to respond to a specific authentication method for a particular range of servers. The authentication methods you can configure the security appliance to respond to are NTLM authentication, HTTP Basic authentication, or both methods.

Auto signon is a straight-forward method for configuring SSO for particular internal servers. This section describes the procedure for setting up SSO with auto signon. If you already have SSO deployed using Computer Associates' SiteMinder SSO server and want to configure the security appliance to support this solution, see SSO Servers. If you use SSO with HTTP Forms protocol and want to configure the security appliance to support this method, see AAA Setup.

Fields

Inherit—Click to uncheck and allow WebVPN login credentials to be used to login to specific internal servers.

IP Address—Display only. In conjunction with the following Mask, displays the IP address range of the servers to be authenticated to as configured with the Add/Edit Auto Signon dialog box. You can specify a server using either the server URI or the server IP address and mask.

Mask—Display only. In conjunction with the preceding IP Address, displays the IP address range of the servers configured to support auto signon with the Add/Edit Auto Signon dialog box.

URI—Display only. Displays a URI mask that identifies the servers configured with the Add/Edit Auto Signon dialog box.

Authentication Type—Display only. Displays the type of authentication—basic HTTP, NTLM, or basic and NTLM—as configured with the Add/Edit Auto Signon dialog box.

Add/Edit—Click to add or edit an auto signon instruction. An auto signon instruction defines a range of internal servers using the auto signon feature and the particular authentication method.

Delete—Click to delete an auto signon instruction selected in the Auto Signon table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


ACLs

This window lets you configure ACLs for WebVPN.

Fields

View (Unlabeled)—Indicates whether the selected entry is expanded (minus sign) or contracted (plus sign).

# column—Specifies the ACE ID number.

Enable—Indicates whether this ACL is enabled or disabled. You can enable or disable the ACL using this check box.

Action—Specifies whether this ACL permits or denies access.

Type—Specifies whether this ACL applies to a URL or a TCP address/port.

Filter—Specifies the type of filter being applied.

Syslog Level (Interval)—Specifies the syslog parameters for this ACL.

Time Range—Specifies the name of the time range, if any, for this ACL. The time range can be a single interval or a series of periodic ranges.

Description—Specifies the description, if any, of the ACL.

Add ACL—Displays the Add Web Type ACL dialog box, in which you can specify an ACL ID.

Add ACE—Displays the Add Web Type ACE dialog box, in which you specify parameters for the named ACL. This button is active only if there are one or more entries in the Web Type ACL table.

Edit ACE/Delete—Click to edit or delete the highlighted ACL or ACE. When you delete an ACL, you also delete all of its ACEs. No warning or undelete.

Move Up/Move Down—Highlight an ACL or ACE and click these buttons to change the order of ACLs and ACEs. The security appliance checks WebVPN ACLs and their ACEs in priority order according to their position in the ACLs list box until it finds a match.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Tunnel Group

The parameters in the Tunnel Group window let you manage VPN tunnel groups. A VPN tunnel group represents a connection-specific record for IPSec and WebVPN connections.

The IPSec group uses the IPSec tunnel-group parameters to create the tunnel. An IPSec tunnel group can be either remote-access or LAN-to-LAN. The IPSec group is configured on the internal server or on an external RADIUS server. For ASA 5505 in client mode or VPN 3002 hardware client parameters, which enable or disable interactive hardware client authentication and individual user authentication, the IPSec tunnel group parameters take precedence over parameters set for users and groups.

The WebVPN tunnel-group parameters are the parameters of the WebVPN group that you want to apply to this tunnel group. You configure WebVPN access on the Configuration > WebVPN window.

Fields

Tunnel Group—Shows the configured parameters for existing VPN tunnel groups. The Tunnel Group table contains the following columns:

Name—Specifies the name or IP address of the tunnel group.

Type—Indicates the type of tunnel; for example, ipsec-l2l indicates an IPSec LAN-to-LAN tunnel. The other possibilities are ipsec-ra (IPSec remote access) and webvpn.

Group Policy—Indicates the name of the group policy for this tunnel group.

Add—Offers a menu letting you choose a tunnel type: IPSec for Remote Access, IPSec for LAN-to-LAN Access, or WebVPN Access, and opens a dialog box on which you can configure the new tunnel group.

Edit—Opens a dialog box that lets you modify an existing tunnel group.

Delete—Removes the selected tunnel group from the list.

Group Delimiter—Lets you select the delimiter character to use when parsing tunnel group names from the user names that the security appliance receives when tunnels are being negotiated. By default, no delimiter is specified, disabling group-name parsing.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > General Tab > Basic Tab

The Add or Edit window, General tab, Basic tab lets you specify a name for the tunnel group that you are adding, lets you select the group policy, and lets you specify whether to strip the realm and/or group from the username before passing it on to the AAA server. You can also configure password management.

On the Edit Tunnel Group window, the General tab displays the name and type of the selected tunnel group. All other functions are the same as for the Add Tunnel Group window.

Fields

Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only.

Type—Displays the type of tunnel group you are adding or editing. For Edit, this is a display-only field whose contents depend on your selection in the Add window.

Group Policy—Lists the currently configured group policies. The default value is the default group policy, DfltGrpPolicy.

Strip the realm (administrative domain) from the username before passing it on to the AAA server—Enables or disables stripping the realm from the username before passing the username on to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username during authentication. You can append the realm name to the username for AAA: authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.


Note You can append both the realm and the group to a username, in which case the security appliance uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the security appliance cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.


Strip the group from the username before passing it on to the AAA server—Enables or disables stripping the group name from the username before passing the username on to the AAA server. Check Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box. When you append a group name to a username using a delimiter, and enable Group Lookup, the security appliance interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.

Override account-disabled indication from AAA server—Overrides an account-disabled indication from a AAA server.


Note Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. If you do not also check the Enable notification prior to expiration check box, the user receives notification only after the password has expired.

Enable notification prior to expiration—When you check this option, the security appliance notifies the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, it enables the notification. If you check this check box, you must also specify the number of days.

Notify...days prior to expiration—Specifies the number of days before the current password expires to notify the user of the pending expiration. The range is 1 through 180 days.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > General Tab > Authentication Tab

This tab is available for IPSec on Remote Access and LAN-to-LAN tunnel groups. The settings on this tab apply to the tunnel group globally across the security appliance. To set authentication server group settings per interface, click the Advanced tab. The Add or Edit Tunnel Group window > General tab > Authentication tab lets you configure the following attributes:

Authentication Server Group—Lists the available authentication server groups, including the LOCAL group (the default). You can also select None. Selecting something other than None or Local makes available the Use LOCAL if Server Group Fails check box. To set the authentication server group per interface, go to the Advanced tab.

Use LOCAL if Server Group fails—Enables or disables fallback to the LOCAL database if the group specified by the Authentication Server Group attribute fails.

NAC Authentication Server Group—Specifies the authentication server group to use for posture validation. This field is active only if you have configured NAC on the security appliance. You must have an ACS group consisting of at least one server configured to support NAC. The list displays the names of all server groups of type RADIUS configured on this security appliance that are available for remote access tunnels.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > General Tab > Authorization Tab

This tab is available for IPSec on Remote Access and LAN-to-LAN tunnel groups. The settings on this tab apply to the tunnel group globally across the security appliance. On this tab, you can configure the following attributes:

Authorization Server Group—Lists the available authorization server groups, including the LOCAL group. When VPN Authorization is defined as LOCAL, the attributes configured in the default group policy DfltGrpPolicy are enforced. You can also select None (the default). Selecting something other than None makes available the check box for Users must exist in authorization database to connect.

Users must exist in the authorization database to connect—Tells the security appliance to allow only users in the authorization database to connect. By default this feature is disabled. You must have a configured authorization server to use this feature.

Interface-Specific Authorization Server Groups—(Optional) Lets you configure authorization server groups on a per-interface basis. Interface-specific authorization server groups take precedence over the global server group. If you do not explicitly configure interface-specific authorization, authorization takes place only at the group level.

Interface—Select the interface on which to perform authorization. The standard interfaces are outside (the default), inside, and DMZ. If you have configured other interfaces, they also appear in the list.

Server Group—Select an available, previously configured authorization server group or group of servers, including the LOCAL group. You can associate a server group with more than one interface.

Add—Click Add to add the interface/server group setting to the table and remove the interface from the available list.

Remove—Click Remove to remove the interface/server group from the table and restore the interface to the available list.

Authorization Settings—Lets you set values for usernames that the security appliance recognizes for authorization. This applies to users that authenticate with digital certificates and require LDAP or RADIUS authorization.

Use the entire DN as the username—Allows the use of the entire Distinguished Name (DN) as the username.

Specify individual DN fields as the username—Enables the use of individual DN fields as the username.

Primary DN Field—Lists all of the DN field identifiers for your selection.

DN Field
Definition

Country (C)

Two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Common Name (CN)

Name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

DN Qualifier (DNQ)

Specific DN attribute.

E-mail Address (EA)

E-mail address of the person, system or entity that owns the certificate.

Generational Qualifier (GENQ)

Generational qualifier such as Jr., Sr., or III.

Given Name (GN)

First name of the certificate owner.

Initials (I)

First letters of each part of the certificate owner's name.

Locality (L)

City or town where the organization is located.

Name (N)

Name of the certificate owner.

Organization (O)

Name of the company, institution, agency, association, or other entity.

Organizational Unit (OU)

Subgroup within the organization.

Serial Number (SER)

Serial number of the certificate.

Surname (SN)

Family name or last name of the certificate owner.

State/Province (S/P)

State or province where the organization is located.

Title (T)

Title of the certificate owner, such as Dr.

User ID (UID)

Identification number of the certificate owner.

User Principal Name (UPN)

Used with Smart Card certificate authentication.


Secondary DN Field—Lists all of the DN field identifiers (see the foregoing table) for your selection and adds the option None for no selection.

Add/Edit Tunnel Group > General Tab > Accounting Tab

This tab is available for IPSec on Remote Access and LAN-to-LAN tunnel groups. The setting on this tab applies to the tunnel group globally across the security appliance. The Add or Edit Tunnel Group window > General tab > Accounting tab lets you configure the following attribute:

Accounting Server Group—Lists the available accounting server groups. You can also select None (the default). LOCAL is not an option.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > General Tab > Client Address Assignment Tab

To specify whether to use DHCP or address pools for address assignment, go to Configuration > VPN > I P Address Management > Assignment. The Add or Edit Tunnel Group window > General tab > Client Address Assignment tab, lets you configure the following Client Address Assignment attributes:

DHCP Servers—Specifies a DHCP server to use. You can add up to 10 servers, one at a time.

IP Address—Specifies the IP address of a DHCP server.

Add—Adds the specified DHCP server to the list for client address assignment.

Delete—Deletes the specified DHCP server from the list for client address assignment. There is no confirmation or undo.

Address Pools—Lets you specify up to 6 address pools, using the following parameters:

Available Pools—Lists the available, configured address pools you can choose.

Add—Adds the selected address pool to the list for client address assignment.

Remove—Moves the selected address pool from the Assigned Pools list to the Available Pools list.

Assigned Pools—Lists the address pools selected for address assignment.


Note To configure interface-specific address pools, go to the Advanced tab.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > General Tab > Advanced Tab

The Add or Edit Tunnel Group window, General tab, Advanced tab, lets you configure the following interface-specific attributes:

Interface-Specific Authentication Server Groups—Lets you configure an interface and server group for authentication.

Interface—Lists available interfaces for selection.

Server Group—Lists authentication server groups available for this interface.

Use LOCAL if server group fails—Enables or disables fallback to the LOCAL database if the server group fails.

Add—Adds the association between the selected available interface and the authentication server group to the assigned list.

Remove—Moves the selected interface and authentication server group association from the assigned list to the available list.

Interface/Server Group/Use Fallback—Show the selections you have added to the assigned list.

Interface-Specific Client IP Address Pools—-Lets you specify an interface and Client IP address pool. You can have up to 6 pools.

Interface—Lists the available interfaces to add.

Address Pool—Lists address pools available to associate with this interface.

Add—Adds the association between the selected available interface and the client IP address pool to the assigned list.

Remove—Moves the selected interface/address pool association from the assigned list to the available list.

Interface/Address Pool—Shows the selections you have added to the assigned list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > IPSec for Remote Access > IPSec Tab

On the Add or Edit Tunnel Group window for IPSec for Remote Access, the IPSec tab lets you configure or edit IPSec-specific tunnel group parameters.

Fields

Pre-shared Key—Lets you specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Trustpoint Name—Selects a trustpoint name, if any trustpoints are configured. A trustpoint is a representation of a certificate authority. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.

Authentication Mode—Specifies the authentication mode: none, xauth, or hybrid.

none—Specifies no authentication mode.

xauth—Specifies the use of IKE Extended Authentication mode, which provides the capability of authenticating a user within IKE using TACACS+ or RADIUS.

hybrid—Specifies the use of Hybrid mode, which lets you use digital certificates for security appliance authentication and a different, legacy method—such as RADIUS, TACACS+ or SecurID—for remote VPN user authentication. This mode breaks phase 1 of the Internet Key Exchange (IKE) into the following steps, together called hybrid authentication:

1. The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

2. An extended authentication (xauth) exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.


Note Before setting the authentication type to hybrid, you must configure the authentication server and create a pre-shared key.


IKE Peer ID Validation—Selects whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate.

Enable sending certificate chain—Enables or disables sending the entire certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission.

ISAKMP Keep Alive—Enables and configures ISAKMP keep alive monitoring.

Disable Keep Alives—Enables or disables ISAKMP keep alives.

Monitor Keep Alives—Enables or disables ISAKMP keep alive monitoring. Selecting this option makes available the Confidence Interval and Retry Interval fields.

Confidence Interval—Specifies the ISAKMP keep alive confidence interval. This is the number of seconds the security appliance should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 300 seconds.

Retry Interval—Specifies number of seconds to wait between ISAKMP keep alive retries. The default is 2 seconds.

Head end will never initiate keepalive monitoring—Specifies that the central-site security appliance never initiates keepalive monitoring.

Interface-Specific Authentication Mode—Specifies the authentication mode on a per-interface basis.

Interface—Lets you select the interface name. The default interfaces are inside and outside, but if you have configured a different interface name, that name also appears in the list.

Authentication Mode—Lets you select the authentication mode, none, xauth, or hybrid, as above.

Interface/Authentication Mode table—Shows the interface names and their associated authentication modes that are selected.

Add—Adds an interface/authentication mode pair selection to the Interface/Authentication Modes table.

Remove—Removes an interface/authentication mode pair selection from the Interface/Authentication Modes table.

Client VPN Software Update Table—Lists the client type, VPN Client revisions, and image URL for each client VPN software package installed. For each client type, you can specify the acceptable client software revisions and the URL or IP address from which to download software upgrades, if necessary. The client update mechanism (described in detail under the Client Update window) uses this information to determine whether the software each VPN client is running is at an appropriate revision level and, if appropriate, to provide a notification message and an update mechanism to clients that are running outdated software.

Client Type—Identifies the VPN client type.

VPN Client Revisions—Specifies the acceptable revision level of the VPN client.

Image URL—Specifies the URL or IP address from which the correct VPN client software image can be downloaded. For Windows-based VPN clients, the URL must be of the form http:// or https://. For ASA 5505 in client mode or VPN 3002 hardware clients, the URL must be of the form tftp://.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > PPP Tab

On the Add or Edit Tunnel Group window for a IPSec remote access tunnel group, the PPP tab lets you configure or edit the authentication protocols permitted of a PPP connection. This tab applies only to IPSec remote access tunnel groups.

Fields

CHAP—Enables the use of the CHAP protocol for a PPP connection.

MS-CHAP-V1—Enables the use of the MS-CHAP-V1 protocol for a PPP connection.

MS-CHAP-V2—Enables the use of the MA-CHAP-V2 protocol for a PPP connection.

PAP—Enables the use of the PAP protocol for a PPP connection.

EAP-PROXY—Enables the use of the EAP-PROXY protocol for a PPP connection. EAP refers to the Extensible Authentication protocol.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General Tab > Basic Tab

On the Add or Edit Tunnel Group window for LAN-to-LAN Remote Access, the General tab, Basic tab you can specify a name for the tunnel group that you are adding (Add function only) and select the group policy.

On the Edit Tunnel Group window, the General tab displays the name and type of the tunnel group you are modifying.

Fields

Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only.

Type—(Display-only) Displays the type of tunnel group you are adding or editing. The contents of this field depend on your selection on the previous window.

Group Policy—Lists the currently configured group policies. The default value is the default group policy, DfltGrpPolicy.

Strip the realm (administrative domain) from the username before passing it on to the AAA server—Enables or disables stripping the realm from the username before passing the username on to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username during authentication. You can append the realm name to the username for AAA: authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.


Note You can append both the realm and the group to a username, in which case the security appliance uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the security appliance cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.


Strip the group from the username before passing it on to the AAA server—Enables or disables stripping the group name from the username before passing the username on to the AAA server. Check Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box. When you append a group name to a username using a delimiter, and enable Group Lookup, the security appliance interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.

Override account-disabled indication from AAA server—Overrides an account-disabled indication from a AAA server.


Note Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. If you do not also check the Enable notification prior to expiration check box, the user receives notification only after the password has expired.

Enable notification prior to expiration—When you check this option, the security appliance notifies the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, it enables the notification. If you check this check box, you must also specify the number of days.

Notify...days prior to expiration—Specifies the number of days before the current password expires to notify the user of the pending expiration. The range is 1 through 180 days.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec Tab

The Add or Edit Tunnel Group window for IPSec for LAN-to-LAN access, IPSec tab, lets you configure or edit IPSec LAN-to-LAN-specific tunnel group parameters.

Fields

Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only.

Type—(Display-only) Displays the type of tunnel group you are adding or editing. The contents of this field depend on your selection on the previous window.

Pre-shared Key—Lets you specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Trustpoint Name—Selects a trustpoint name, if any trustpoints are configured. A trustpoint is a representation of a certificate authority. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.

Authentication Mode—Specifies the authentication mode: none, xauth, or hybrid.

none—Specifies no authentication mode.

xauth—Specifies the use of IKE Extended Authentication mode, which provides the capability of authenticating a user within IKE using TACACS+ or RADIUS.

hybrid—Specifies the use of Hybrid mode, which lets you use digital certificates for security appliance authentication and a different, legacy method—such as RADIUS, TACACS+ or SecurID—for remote VPN user authentication. This mode breaks phase 1 of the Internet Key Exchange (IKE) into the following steps, together called hybrid authentication:

1. The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

2. An extended authentication (xauth) exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.


Note Before setting the authentication type to hybrid, you must configure the authentication server and create a pre-shared key.


IKE Peer ID Validation—Selects whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate.

Enable sending certificate chain—Enables or disables sending the entire certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission.

ISAKMP Keep Alive—Enables and configures ISAKMP keep alive monitoring.

Disable Keep Alives—Enables or disables ISAKMP keep alives.

Monitor Keep Alives—Enables or disables ISAKMP keep alive monitoring. Selecting this option makes available the Confidence Interval and Retry Interval fields.

Confidence Interval—Specifies the ISAKMP keep alive confidence interval. This is the number of seconds the security appliance should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 300 seconds.

Retry Interval—Specifies number of seconds to wait between ISAKMP keep alive retries. The default is 2 seconds.

Head end will never initiate keepalive monitoring—Specifies that the central-site security appliance never initiates keepalive monitoring.

Interface-Specific Authentication Mode—Specifies the authentication mode on a per-interface basis.

Interface—Lets you select the interface name. The default interfaces are inside and outside, but if you have configured a different interface name, that name also appears in the list.

Authentication Mode—Lets you select the authentication mode, none, xauth, or hybrid, as above.

Interface/Authentication Mode table—Shows the interface names and their associated authentication modes that are selected.

Add—Adds an interface/authentication mode pair selection to the Interface/Authentication Modes table.

Remove—Removes an interface/authentication mode pair selection from the Interface/Authentication Modes table.

Client VPN Software Update Table—Lists the client type, VPN Client revisions, and image URL for each client VPN software package installed. For each client type, you can specify the acceptable client software revisions and the URL or IP address from which to download software upgrades, if necessary. The client update mechanism (described in detail under the Client Update window) uses this information to determine whether the software each VPN client is running is at an appropriate revision level and, if appropriate, to provide a notification message and an update mechanism to clients that are running outdated software.

Client Type—Identifies the VPN client type.

VPN Client Revisions—Specifies the acceptable revision level of the VPN client.

Image URL—Specifies the URL or IP address from which the correct VPN client software image can be downloaded. For Windows-based VPN clients, the URL must be of the form http:// or https://. For ASA 5505 in client mode or VPN 3002 hardware clients, the URL must be of the form tftp://.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > WebVPN Access > General Tab > Basic Tab

The Add or Edit pane, General tab, Basic tab lets you specify a name for the tunnel group that you are adding, lets you select the group policy, and lets you configure password management.

On the Edit Tunnel Group window, the General tab displays the name and type of the selected tunnel group. All other functions are the same as for the Add Tunnel Group window.

Fields

Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only.

Type—Displays the type of tunnel group you are adding or editing. For Edit, this is a display-only field whose contents depend on your selection in the Add window.

Group Policy—Lists the currently configured group policies. The default value is the default group policy, DfltGrpPolicy.

Strip the realm —Not available for WebVPN.

Strip the group —Not available or WebVPN.

Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.

Override account-disabled indication from AAA server—Overrides an account-disabled indication from a AAA server.


Note Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. If you do not also check the Enable notification prior to expiration check box, the user receives notification only after the password has expired.

Enable notification prior to expiration—When you check this option, the security appliance notifies the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, it enables the notification. If you check this check box, you must also specify the number of days.

Notify...days prior to expiration—Specifies the number of days before the current password expires to notify the user of the pending expiration. The range is 1 through 180 days.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > WebVPN Tab > Basic Tab

The attributes on the Add/Edit Tunnel Group General Tab tabs for WebVPN are the same as those for Add/Edit Tunnel Group General Tab tabs for IPSec Remote Access. The following description applies to the fields appearing on the WebVPN Tab tabs.

Fields

The Basic tab lets you configure the following WebVPN attributes:

Authentication—Specifies the type of authentication to perform: AAA, Certificate, or Both. The default value is AAA.

DNS Group—Specifies the DNS server to use for a WebVPN tunnel-group. The default value is DefaultDNS.

CSD Failure group policy—This attribute is valid only for security appliances with Cisco Secure Desktop installed. The security appliance uses this attribute to limit access rights to remote CSD clients if you use Cisco Secure Desktop Manager to set the VPN feature policy to one of the following options:

"Use Failure Group-Policy."

"Use Success Group-Policy, if criteria match," and the criteria fail to match.

This attribute specifies the name of the failure group policy to be applied. Choose a group policy to differentiate access rights from those associated with the default group policy. The default value is DfltGrpPolicy.


Note The security appliance does not use this attribute if you set the VPN feature policy to "Always use Success Group-Policy."


For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administration Guide

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab

The table on this tab shows the attributes of the already-configured NetBIOS servers. The Add or Edit Tunnel Group window for WebVPN Access, NetBIOS tab, lets you configure the NetBIOS attributes for the tunnel group. WebVPN uses NetBIOS and the Common Internet File System protocol to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server you specify corresponds to a specific NetBIOS name that identifies a resource on the network.

The security appliance queries NetBIOS name servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems.

To make the NBNS function operational, you must configure at least one NetBIOS server (host). You can configure up to 3 NBNS servers for redundancy. The security appliance uses the first server on the list for NetBIOS/CIFS name resolution. If the query fails, it uses the next server.

Fields

IP Address—Displays the IP addresses of configured NetBIOS servers.

Master Browser—Shows whether a server is a WINS server or one that can also be a CIFS server (that is, a master browser).

Timeout (seconds)—Displays the initial time in seconds that the server waits for a response to an NBNS query before sending the query to the next server.

Retries—Shows the number of times to retry sending an NBNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

Add/Edit—Click to add a NetBIOS server. This opens the Add or Edit NetBIOS Server dialog box.

Delete—Removes the highlighted NetBIOS row from the list.

Move Up/Move Down—The security appliance sends NBNS queries to the NetBIOS servers in the order in which they appear in this box. Use this box to change the priority order of the servers by moving them up or down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > NetBIOS Servers Tab > Add/Edit NetBIOS Server

This dialog box lets you create a new entry for the NetBIOS servers table or modify an existing entry.

Fields

IP Address—Specifies the IP address for the NetBIOS server.

Master browser—Designates the current NetBIOS server as a master browser, rather than a WINS server.

Timeout—Specifies the initial time in seconds the server waits for a response to an NBNS query before sending the query to the next server. The minimum time is 1 second. The default time is 2 seconds. The maximum time is 30 seconds. The time doubles with each retry cycle through the list of servers.

Retries—Specifies the number of times to retry sending a NBNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Group Aliases and URLs Tab

The Add or Edit Tunnel Group window for WebVPN Remote Access, Group Aliases and URLs tab, lets you specify alternative names for the group (group aliases) and specify incoming URLs for the group.

Specifying the group alias creates one or more alternate names by which the user can refer to a tunnel-group. The group alias that you specify here appears in the drop-down list on the login page. Each group can have multiple aliases or no alias. If you want the actual name of the tunnel group to appear on this list, specify it as an alias. This feature is useful when the same group is known by several common names, such as "Devtest" and "QA".

Specifying a group URL eliminates the need for the user to select a group at login. When a user logs in, the security appliance looks for the user's incoming URL in the tunnel-group-policy table. If it finds the URL and if this feature is enabled, then the security appliance automatically selects the appropriate server and presents the user with only the username and password fields in the login window. If the URL is disabled, then the dropdown list of groups is also displayed, and the user must make the selection.

You can configure multiple URLs (or no URLs) for a group. Each URL can be enabled or disabled individually. You must use a separate specification for each URL specified. You must specify the entire URL, which can use either the http or https protocol.

You cannot associate the same URL with multiple groups. The security appliance verifies the uniqueness of the URL before accepting it for a tunnel group.

Fields

Group Aliases—Contains the following entries:

Alias—Specifies an alternative name for the tunnel group.

Add/Remove—Adds or removes a selected group alias from the list.

Enable—Enables the selected alias, so it appears on the dropdown list at logon. This check box is checked by default.


Note You cannot change the status of a disabled alias in the Alias/Status table merely by checking Enable and clicking OK, then Apply. You must first remove the disabled alias, then re-add it with the Enable check box checked.


Alias/Status —Shows whether each selected alias is enabled or disabled.

Group URLs—Contains the following entries:

URL (http or https)—Specifies a URL to add to the list; for example, http://www.cisco.com. You must include the http:// or https:// protocol in the URL.

Add/Remove—Adds or removes a selected group URL from the list.

Enable—Enables the selected URL. The default is enabled.


Note You cannot change the status of a disabled URL in the URL/Status table merely by checking Enable and clicking OK, then Apply. You must first remove the disabled URL, then re-add it with the Enable check box checked.


URL/Status—Shows whether each selected URL is enabled or disabled.

Example

You can set up different login screens for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create a WebVPN tunnel group called sales that refers to that customization profile, as the following example shows. This example displays the company logo instead of the default Cisco logo when the user logs in using WebVPN:


Step 1 Define a WebVPN customization named salesgui and change the default logo to mycompanylogo.gif. You must have previously loaded mycompanylogo.gif onto the flash memory of the security appliance and saved the configuration.

Step 2 Set up a username and associate it with the WebVPN customization you've just defined.

Step 3 Create a WebVPN tunnel-group named sales.

Step 4 Specify that you want to use the salesgui customization for this tunnel group.

Step 5 Set the group URL to the address that the user enters into the browser to log in to the security appliance; for example, if the security appliance has the IP address 192.168.3.3, set the group URL to https://192.168.3.3.

The security appliance maps this URL to the sales tunnel group and applies the salesgui customization profile to the login screen that the user sees.

Step 6 Save the configuration to memory.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > WebVPN Access > WebVPN Tab > Web Page Tab

Use this tab to select a customized look and feel for the WebVPN end-user logon web page.

Fields

Webpage Customization—Selects a previously defined web-page customization.

New—Opens a dialog box in which you can configure a new web-page customization.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


For More Information

WebVPN End User Set-up

VPN System Options

The VPN System Options window lets you configure features specific to VPN sessions on the security appliance.

Fields

Enable inbound IPSec sessions to bypass interface access-lists. Group policy and per-user authorization access lists still apply to the traffic—By default, the security appliance allows VPN traffic to terminate on a security appliance interface; you do not need to allow IKE or ESP (or other types of VPN packets) in an access rule. When this option is checked, you also do not need an access rule for local IP addresses of decrypted VPN packets. Because the VPN tunnel was terminated successfully using VPN security mechanisms, this feature simplifies configuration and maximizes the security appliance performance without any security risks. (Group policy and per-user authorization access lists still apply to the traffic.)

You can require an access rule to apply to the local IP addresses by unchecking this option. The access rule applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted.

Limit the maximum number of active IPSec VPN sessions—Enables or disables limiting the maximum number of active IPSec VPN sessions. The range depends on the hardware platform and the software license.

Maximum Active IPSec VPN Sessions—Specifies the maximum number of active IPSec VPN sessions allowed. This field is active only when you select the preceding check box to limit the maximum number of active IPSec VPN sessions.

L2TP Tunnel Keep-alive Timeout—Specifies the frequency, in seconds, of keepalive messages. The range is 10 through 300 seconds. The default is 60 seconds.

Compression Settings—Specifies the features for which you want to enable compression: WebVPN, and SSL VPN Client. Compression is enabled by default.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Zone Labs Integrity Server

The Zone Labs Integrity Server panel lets you configure the security appliance to support a Zone Labs Integrity Server. This server is part of the Integrity System, a system designed to enforce security policies on remote clients entering the private network. In essence, the security appliance acts as a proxy for the client PC to the Firewall Server and relays all necessary Integrity information between the Integrity client and the Integrity server.


Note The current release of the security appliance supports one Integrity Server at a time even though the user interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure another Integrity Server on the security appliance and then reestablish the client VPN session.


Fields

Server IP address—Type the IP address of the Integrity Server. Use dotted decimal notation.

Add—Adds a new server IP address to the list of Integrity Servers. This button is active when an address is entered in the Server IP address field.

Delete—Deletes the selected server from the list of Integrity Servers.

Move Up—Moves the selected server up in the list of Integrity Servers. This button is available only when there is more than one server in the list.

Move Down—Moves the selected server down in the list of Integrity Servers. This button is available only when there is more than one server in the list.

Server Port—Type the security appliance port number on which it listens to the active Integrity server. This field is available only if there is at least one server in the list of Integrity Servers. The default port number is 5054, and it can range from 10 to 10000. This field is only available when there is a server in the Integrity Server list.

Interface—Choose the interface security appliance interface on which it communicates with the active Integrity Server. This interface name menu is only available when there is a server in the Integrity Server list.

Fail Timeout—Type the number of seconds that the security appliance should wait before it declares the active Integrity Server to be unreachable. The default is 10 and the range is from 5 to 20.

Enable SSL Authentication—Check to enable authentication of the remote client SSL certificate by the security appliance. By default, client SSL authentication is disabled.

Close connection on timeout—Check to close the connection between the security appliance and the Integrity Server on a timeout. By default, the connection remains open.

Apply—Click to apply the Integrity Server setting to the security appliance running configuration.

Reset—Click to remove Integrity Server configuration changes that have not yet been applied.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Easy VPN Remote

Easy VPN Remote lets the ASA 5505 act as an Easy VPN client device. The ASA 5505 can then initiate a VPN tunnel to an Easy VPN server, which can be a security appliance, a Cisco VPN 3000 Concentrator, an IOS-based router, or a firewall acting as an Easy VPN server.

The Easy VPN client supports one of two modes of operation: Client Mode or Network Extension Mode (NEM). The mode of operation determines whether the Easy VPN Client inside hosts are accessible from the Enterprise network over the tunnel. Specifying a mode of operation is mandatory before making a connection because Easy VPN Client does not have a default mode.

Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the Easy VPN Client private network from those on the enterprise network. The Easy VPN Client performs Port Address Translation (PAT) for all VPN traffic for its inside hosts. IP address management is neither required for the Easy VPN Client inside interface or the inside hosts.

NEM makes the inside interface and all inside hosts routable across the enterprise network over the tunnel. Hosts on the inside network obtain their IP addresses from an accessible subnet (statically or via DHCP) pre-configured with static IP addresses. PAT does not apply to VPN traffic in NEM. This mode does not require a VPN configuration for each client. The Cisco ASA 5505 configured for NEM mode supports automatic tunnel initiation. The configuration must store the group name, user name, and password. Automatic tunnel initiation is disabled if secure unit authentication is enabled.

The network and addresses on the private side of the Easy VPN Client are hidden, and cannot be accessed directly.

Fields

Enable Easy VPN Remote—Enables the Easy VPN Remote feature and makes available the rest of the fields on this window for configuration.

Mode—Selects either Client mode or Network extension mode.

Client mode—Uses Port Address Translation (PAT) mode to isolate the addresses of the inside hosts, relative to the client, from the enterprise network.

Network extension mode—Makes those addresses accessible from the enterprise network.


Note If the Easy VPN Remote is using NEM and has connections to secondary servers, establish an ASDM connection to each headend and check Enable Reverse Route Injection on the Configuration > VPN > IPSec > IPSec Rules > Tunnel Policy (Crypto Map) - Advanced tab to configure dynamic announcements of the remote network using RRI.


Auto connect—The Easy VPN Remote establishes automatic IPSec data tunnels unless both of the following are true: Network extension mode is configured locally, and split-tunneling is configured on the group policy pushed to the Easy VPN Remote. If both are true, checking this attribute automates the establishment of IPSec data tunnels. Otherwise, this attribute has no effect.

Group Settings—Specifies whether to use a pre-shared key or an X.509 certificate for user authentication.

Pre-shared key—Enables the use of a pre-shared key for authentication and makes available the subsequent Group Name, Group Password, and Confirm Password fields for specifying the group policy name and password containing that key.

Group Name—Specifies the name of the group policy to use for authentication.

Group Password—Specifies the password to use with the specified group policy.

Confirm Password—Requires you to confirm the group password just entered.

X.509 Certificate—Specifies the use of an X.509 digital certificate, supplied by a Certificate Authority, for authentication.

Select Trustpoint—Lets you select a trustpoint, which can be an IP address or a hostname, from the drop-down list. To define a trustpoint, click the link to Trustpoint(s) configuration at the bottom of this area.

Send certificate chain—Enables sending a certificate chain, not just the certificate itself. This action includes the root certificate and any subordinate CA certificates in the transmission.

User Settings—Configures user login information.

User Name—Configures the VPN username for the Easy VPN Remote connection. Xauth provides the capability of authenticating a user within IKE using TACACS+ or RADIUS. Xauth authenticates a user (in this case, the Easy VPN hardware client) using RADIUS or any of the other supported user authentication protocols. The Xauth username and password parameters are used when secure unit authentication is disabled and the server requests Xauth credentials. If secure unit authentication is enabled, these parameters are ignored, and the security appliance prompts the user for a username and password.

User Password—Configures the VPN user password for the Easy VPN Remote connection.

Confirm Password—Requires you to confirm the user password just entered.

Easy VPN Server To Be Added—Adds or removes an Easy VPN server. Any ASA or VPN 3000 Concentrator Series can act as a Easy VPN server. A server must be configured before a connection can be established. The security appliance supports IPv4 addresses, the names database, or DNS names and resolves addresses in that order. The first server in the Easy VPN Server(s) list is the primary server. You can specify a maximum of ten backup servers in addition to the primary server.

Name or IP Address—The name or IP address of an Easy VPN server to add to the list.

Add—Moves the specified server to the Easy VPN Server(s) list.

Remove—Moves the selected server from the Easy VPN Server(s) list to the Name or IP Address file. Once you do this, however, you cannot re-add the same address unless you re-enter the address in the Name or IP Address field.

Easy VPN Server(s)—Lists the configured Easy VPN servers in priority order.

Move Up/Move Down—Changes the position of a server in the Easy VPN Server(s) list. These buttons are available only when there is more than one server in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Advanced Easy VPN Properties

Device Pass-Through

Certain devices like Cisco IP phones, printers, and the like are incapable of performing authentication, and therefore of participating in individual unit authentication. To accommodate these devices, the device pass-through feature, enabled by the MAC Exemption attributes, exempts devices with the specified MAC addresses from authentication when Individual User Authentication is enabled.

The first 24 bits of the MAC address indicate the manufacturer of the piece of equipment. The last 24 bits are the unit's serial number in hexadecimal format.

Tunneled Management

When operating an ASA model 5505 device behind a NAT device, use the Tunneled Management attributes to specify how to configure device management— in the clear or through the tunnel—and specify the network or networks allowed to manage the Easy VPN Remote connection through the tunnel. The public address of the ASA 5505 is not accessible when behind the NAT device unless you add static NAT mappings on the NAT device.

When operating a Cisco ASA 5505 behind a NAT device, use the vpnclient management command to specify how to configure device management— with additional encryption or without it—and specify the hosts or networks to be granted administrative access. The public address of the ASA 5505 is not accessible when behind the NAT device unless you add static NAT mappings on the NAT device.

Fields

MAC Exemption—Configures a set of MAC addresses and masks used for device pass-through for the Easy VPN Remote connection

MAC Address—Exempts the device with the specified MAC address from authentication. The format for specifying the MAC address this field uses three hex digits, separated by periods; for example, 45ab.ff36.9999.

MAC Mask—The format for specifying the MAC mask in this field uses three hex digits, separated by periods; for example, the MAC mask ffff.ffff.ffff matches just the specified MAC address. A MAC mask of all zeroes matches no MAC address, and a MAC mask of ffff.ff00.0000 matches all devices made by the same manufacturer.

Add—Adds the specified MAC address and mask pair to the MAC Address/Mask list.

Remove—Moves the selected MAC address and mask pair from the MAC Address/MAC list to the individual MAC Address and MAC Mask fields.

Tunneled Management—Configures IPSec encryption for device management and specifies the network or networks allowed to manage the Easy VPN hardware client connection through the tunnel. Selecting Clear Tunneled Management merely removes that IPSec encryption level and does not affect any other encryption, such as SSH or https, that exists on the connection.

Enable Tunneled Management—Adds a layer of IPSec encryption to the SSH or HTTPS encryption already present in the management tunnel.

Clear Tunneled Management—Uses the encryption already present in the management tunnel, without additional encryption.

IP Address— Specifies the IP address of the host or network to which you want to grant administrative access to the Easy VPN hardware client through the VPN tunnel. You can individually add one or more IP addresses and their respective network masks.

Mask—Specifies the network mask for the corresponding IP address.

Add—Moves the specified IP address and mask to the IP Address/Mask list.

Remove—Moves the selected IP address and mask pair from the IP Address/Mask list to the individual IP Address and Mask fields in this area.

IP Address/Mask—Lists the configured IP address and mask pairs to be operated on by the Enable or Clear functions in this area.

IPSec Over TCP—Configure the Easy VPN Remote connection to use TCP-encapsulated IPSec.

Enable—Enables IPSec over TCP.


Note Choose Configuration > VPN > IPSec > Pre-Fragmentation, double-click the outside interface, and set the DF Bit Setting Policy to Clear if you configure the Easy VPN Remote connection to use TCP-encapsulated IPSec. The Clear setting lets the security appliance send large packets.


Enter Port Number—Specifies the port number to use for the IPSec over TCP connection.

Server Certificate—Configures the Easy VPN Remote connection to accept only connections to Easy VPN servers with the specific certificates specified by the certificate map. Use this parameter to enable Easy VPN server certificate filtering. To define a certificate map, go to Configuration > VPN > IKE > Certificate Group Matching > Rules.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System