CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1
Index
Downloads: This chapterpdf (PDF - 330.0KB) The complete bookPDF (PDF - 5.72MB) | The complete bookePub (ePub - 1.48MB) | The complete bookMobi (Mobi - 332.0KB) | Feedback

Index

A

AAA

addressing, configuring 5-5

Access Control Server 7-4, 7-13

access hours, username attribute 4-89

accessing the security appliance using SSL 15-21

accessing the security appliance using TKS1 15-21

access list filter, username attribute 4-90

access lists

exemptions from posture validation 7-11

group policy WebVPN filter 4-83

IPsec 1-29

Network Admission Control, default 7-10

username for Clientless SSL VPN 4-96

Active Directory, settings for password management 4-28

Active Directory procedures 13-2 to ??

Advanced Encryption Standard (AES) 1-10

application access

and e-mail proxy 18-7

and Web Access 18-7

configuring client applications 18-6

enabling cookies on browser 18-6

privileges 18-6

quitting properly 18-6

setting up on client 18-6

using e-mail 18-7

with IMAP client 18-7

Application Access Panel, WebVPN 19-2, 21-2

application access using Clientless SSL VPN

group policy attribute for Clientless SSL VPN 4-84

username attribute for Clientless SSL VPN 4-98

application access using WebVPN

and hosts file errors 22-1

quitting properly 22-2

Application Profile Customization Framework 16-8

ASA 5505

client

authentication 8-12

configuration restrictions, table 8-2

device pass-through 8-8

group policy attributes pushed to 8-10

mode 8-3

remote management 8-9

split tunneling 8-8

TCP 8-4

trustpoint 8-7

tunnel group 8-7

tunneling 8-5

Xauth 8-4

server (headend) 8-1

attributes

username 4-88

attribute-value pairs (AVP) 4-36

authentication

ASA 5505 as Easy VPN client 8-12

WebVPN users with digital certificates 19-21, 19-22

auto-signon

group policy attribute for Clientless SSL VPN 4-82

username attribute for Clientless SSL VPN 4-99

B

backup server attributes, group policy 4-67

banner message, group policy 4-41

before configuring KCD 16-4

Black Ice firewall 4-76

bypass authentication 8-8

C

cached Kerberos tickets

clearing 16-7

showing 16-7

caching 17-18

cascading access lists 1-23

certificate

authentication, e-mail proxy 16-14

group matching

configuring 1-16, 1-17

rule and policy, creating 1-17

Cisco Integrated Firewall 4-76

Cisco Security Agent 4-76

Cisco Trust Agent 7-13

clearing cached Kerberos tickets 16-7

client

VPN 3002 hardware, forcing client update 3-4

Windows, client update notification 3-4

client access rules, group policy 4-77

client firewall, group policy 4-71

clientless authentication 7-13

Clientless SSL VPN

client application requirements 18-2

client requirements 18-2

for file management 18-5

for network browsing 18-5

for web browsing 18-4

start-up 18-3

configuring for specific users 4-93

enable cookies for 18-6

printing and 18-3

remote requirements

for port forwarding 18-6

for using applications 18-6

remote system configuration and end-user requirements 18-3

security tips 18-2

supported applications 18-2

supported browsers 18-3

supported types of Internet connections 18-3

URL 18-3

username and password required 18-3

usernames and passwords 18-1

client mode 8-3

client update, performing 3-4

cluster

IP address, load balancing 3-7

load balancing configurations 3-10

mixed scenarios 3-11

virtual 3-7

connect time, maximum, username attribute 4-90

content transformation, WebVPN 17-15

CRACK protocol 1-39

crypto map

acccess lists 1-29

applying to interfaces 1-29, 10-11

clearing configurations 1-38

creating an entry to use the dynamic crypto map 6-13

definition 1-19

dynamic 1-35

dynamic, creating 6-12

entries 1-19

examples 1-30

policy 1-21

crypto show commands table 1-37

custom firewall 4-76

customization, Clientless SSL VPN

group policy attribute 4-80

login windows for users 4-27

username attribute 4-95

username attribute for Clientless SSL VPN 4-24

D

default

DefaultL2Lgroup 4-1

DefaultRAgroup 4-1

domain name, group policy 4-54

group policy 4-1, 4-8, 4-36

LAN-to-LAN tunnel group 4-17

remote access tunnel group, configuring 4-7

tunnel group 1-18, 4-2

deny in a crypto map 1-23

deny-message

group policy attribute for Clientless SSL VPN 4-81

username attribute for Clientless SSL VPN 4-96

DES, IKE policy keywords (table) 1-9, 1-10

device pass-through, ASA 5505 as Easy VPN client 8-8

DfltGrpPolicy 4-37

DHCP

addressing, configuring 5-6

DHCP Intercept, configuring 4-55

Diffie-Hellman

Group 5 1-9, 1-11

groups supported 1-9, 1-11

digital certificates

authenticating WebVPN users 19-21, 19-22

SSL 15-25

disabling content rewrite 17-16

DNS

server, configuring 4-50

domain attributes, group policy 4-54

dynamic crypto map 1-35

creating 6-12

See also crypto map

E

Easy VPN

client

authentication 8-12

configuration restrictions, table 8-2

enabling and disabling 8-1

group policy attributes pushed to 8-10

mode 8-3

remote management 8-9

trustpoint 8-7

tunnels 8-9

Xauth 8-4

server (headend) 8-1

Easy VPN client

ASA 5505

device pass-through 8-8

split tunneling 8-8

TCP 8-4

tunnel group 8-7

tunneling 8-5

egress VLAN for VPN sessions 4-44

e-mail

configuring for WebVPN 16-14

proxies, WebVPN 16-14

proxy, certificate authentication 16-14

WebVPN, configuring 16-14

e-mail proxy

and Clientless SSL VPN 18-7

end-user interface, WebVPN, defining 19-1, 21-1

external group policy, configuring 4-39

F

failover

Trusted Flow Acceleration 2-8

filter (access list)

group policy attribute for Clientless SSL VPN 4-83

username attribute for Clientless SSL VPN 4-96

firewall

Black Ice 4-76

Cisco Integrated 4-76

Cisco Security Agent 4-76

custom 4-76

Network Ice 4-76

none 4-76

Sygate personal 4-76

Zone Labs 4-76

firewall policy, group policy 4-71

fragmentation policy, IPsec 1-15

G

general attributes, tunnel group 4-3

general parameters, tunnel group 4-3

general tunnel-group connection parameters 4-3

global e-mail proxy attributes 16-14

global IPsec SA lifetimes, changing 1-31

group-lock, username attribute 4-92

group policy

address pools 4-41

backup server attributes 4-67

client access rules 4-77

configuring 4-39

default domain name for tunneled packets 4-54

definition 4-1, 4-36

domain attributes 4-54

Easy VPN client, attributes pushed to ASA 5505 8-10

external, configuring 4-39

firewall policy 4-71

hardware client user idle timeout 4-65

internal, configuring 4-40

IP phone bypass 4-66

IPSec over UDP attributes 4-63

LEAP Bypass 4-66

network extension mode 4-67

security attributes 4-61

split tunneling attributes 4-51

split-tunneling domains 4-55

user authentication 4-65

VPN hardware client attributes 4-64

webvpn attributes 4-79

WINS and DNS servers 4-50

group policy, default 4-36

group policy, secure unit authentication 4-64

group policy attributes for Clientless SSL VPN

application access 4-84

auto-signon 4-82

customization 4-80

deny-message 4-81

filter 4-83

home page 4-82

html-content filter 4-81

keep-alive-ignore 4-85

port forward 4-84

port-forward-name 4-85

sso-server 4-86

url-list 4-83

Group Policy window

add or edit, General tab 5-5

H

hairpinning 1-27

hardware client, group policy attributes 4-64

HMAC hashing method 1-2, 10-4

hold-period 7-17

homepage

group policy attribute for Clientless SSL VPN 4-82

username attribute for Clientless SSL VPN 4-95

hosts file

errors 22-1

reconfiguring 22-2

WebVPN 22-2

html-content-filter

group policy attribute for Clientless SSL VPN 4-81

username attribute for Clientless SSL VPN 4-94

HTTP compression, Clientless SSL VPN, enabling 4-86, 4-100

HTTP redirection for login, Easy VPN client on the ASA 5505 8-12

HTTPS for WebVPN sessions 15-22

hub-and-spoke VPN scenario 1-27

I

idle timeout

hardware client user, group policy 4-65

username attribute 4-90

ID method for ISAKMP peers, determining 1-13

IKE

benefits 1-2, 10-4

creating policies 1-11

keepalive setting, tunnel group 4-4

pre-shared key, Easy VPN client on the ASA 5505 8-7

See also ISAKMP

IKEv1 1-19

Individual user authentication 8-12

inheritance

tunnel group 4-1

username attribute 4-89

intercept DHCP, configuring 4-55

interfaces

configuring for remote access 6-7

internal group policy, configuring 4-40

Internet Security Association and Key Management Protocol

See ISAKMP

IP addresses

configuring an assignment method for remote access clients 5-1

configuring for VPNs 5-1

configuring local IP address pools 5-3

IP phone 8-8

IP phone bypass, group policy 4-66

IPSec

modes 2-2

over UDP, group policy, configuring attributes 4-63

remote-access tunnel group 4-8

setting maximum active VPN sessions 3-3

IPsec

access list 1-29

basic configuration with static crypto maps 1-32

Cisco VPN Client 1-2

configuring 1-1, 1-18

crypto map entries 1-19

fragmentation policy 1-15

over NAT-T, enabling 1-14

over TCP, enabling 1-15

SA lifetimes, changing 1-31

tunnel 1-19

view configuration commands table 1-37

IPSec parameters, tunnel group 4-4

ipsec-ra, creating an IPSec remote-access tunnel 4-8

ISAKMP

about 1-2

configuring 1-1

determining an ID method for peers 1-13

disabling in aggressive mode 1-13

enabling on the outside interface 6-8

keepalive setting, tunnel group 4-4

See also IKE

J

Java object signing 17-16

K

KCD 16-1, 16-2

before configuring 16-4

KCD status

showing 16-6

keep-alive-ignore

group policy attribute for Clientless SSL VPN 4-85

username attribute for Clientless SSL VPN 4-99

Kerberos tickets

clearing 16-7

showing 16-7

L

L2TP description 2-1

LAN-to-LAN tunnel group, configuring 4-17

Layer 2 Tunneling Protocol 2-1

LDAP

example configuration procedures 13-2 to ??

user authorization 13-13

LEAP Bypass, group policy 4-66

load balancing

cluster configurations 3-10

concepts 3-7

eligible clients 3-9

eligible platforms 3-9

implementing 3-8

mixed cluster scenarios 3-11

platforms 3-9

prerequisites 3-9

login

simultaneous, username attribute 4-89

windows, customizing for users of Clientless SSL VPN sessions 4-27

M

MAC addresses

ASA 5505 device pass-through 8-8

matching, certificate group 1-16, 1-17

maximum active IPSec VPN sessions, setting 3-3

maximum connect time,username attribute 4-90

maximum object size to ignore username attribute for Clientless SSL VPN 4-99

MD5, IKE policy keywords (table) 1-9, 1-10

Microsoft Active Directory, settings for password management 4-28

Microsoft Internet Explorer client parameters, configuring 4-57

Microsoft KCD 16-1, 16-2

mixed cluster scenarios, load balancing 3-11

MSIE client parameters, configuring 4-57

MTU size, Easy VPN client, ASA 5505 8-5

N

NAC

See Network Admission Control

NAT-T

enabling IPsec over NAT-T 1-14

using 1-15

Network Admission Control

ACL, default 7-10

clientless authentication 7-13

configuring 4-68

exemptions 7-11

revalidation timer 7-10

uses, requirements, and limitations 7-1

network extension mode 8-3

network extension mode, group policy 4-67

Network Ice firewall 4-76

Nokia VPN Client 1-39

O

operating systems, posture validation exemptions 7-11

Outlook Web Access (OWA) and Clientless SSL VPN 18-7

P

password

Clientless SSL VPN 18-1

password management, Active Directory settings 4-28

passwords

username, setting 4-88

WebVPN 19-22

password-storage, username attribute 4-93

PAT

Easy VPN client mode 8-3

peers

alerting before disconnecting 1-16

ISAKMP, determining ID method 1-13

performance, optimizing for WebVPN 17-18

permit in a crypto map 1-23

port-forward

group policy attribute for Clientless SSL VPN 4-84

username attribute for Clientless SSL VPN 4-98

Port Forwarding

configuring client applications 18-6

port-forward-name

group policy attribute for Clientless SSL VPN 4-85

username attribute for Clientless SSL VPN 4-98

posture validation

exemptions 7-11

revalidation timer 7-10

uses, requirements, and limitations 7-1

PPPoE, configuring 9-1 to 9-5

pre-shared key, Easy VPN client on the ASA 5505 8-7

printers 8-8

privilege level, username, setting 4-88

proxy

See e-mail proxy

proxy bypass 17-17

R

reboot, waiting until active sessions end 1-16

redundancy, in site-to-site VPNs, using crypto maps 1-37

remote access

IPSec tunnel group, configuring 4-8

restricting 4-92

tunnel group, configuring default 4-7

VPN, configuring 6-1, 6-15

remote management, ASA 5505 8-9

revalidation timer, Network Admission Control 7-10

rewrite, disabling 17-16

S

SAs, lifetimes 1-31

secure unit authentication 8-12

secure unit authentication, group policy 4-64

security, WebVPN 19-5

Security Agent, Cisco 4-76

security association

clearing 1-38

See also SAs

security attributes, group policy 4-61

SHA, IKE policy keywords (table) 1-9, 1-10

showing cached Kerberos tickets 16-7

showing KCD status 16-6

simultaneous logins, username attribute 4-89

single sign-on

See SSO

single-signon

group policy attribute for Clientless SSL VPN 4-86

username attribute for Clientless SSL VPN 4-100

site-to-site VPNs, redundancy 1-37

smart tunnels 17-4

split tunneling

ASA 5505 as Easy VPN client 8-8

group policy 4-51

group policy, domains 4-55

SSL

certificate 15-25

used to access the security appliance 15-21

SSL/TLS encryption protocols

configuring 15-25

SSL VPN Client

compression 11-18

DPD 11-16

enabling

permanent installation 11-8

installing

order 11-7

keepalive messages 11-17

viewing sessions 11-20

sso-server

group policy attribute for Clientless SSL VPN 4-86

username attribute for Clientless SSL VPN 4-100

SSO with WebVPN 19-5 to ??

configuring HTTP Basic and NTLM authentication 19-6

configuring HTTP form protocol 19-12

configuring SiteMinder 19-7, 19-10

Sun Microsystems Java™ Runtime Environment (JRE) and Clientless SSL VPN 18-6

Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 15-9

SVC

See SSL VPN Client

Sygate Personal Firewall 4-76

T

TCP

ASA 5505 as Easy VPN client 8-4

TLS1, used to access the security appliance 15-21

toolbar, floating, WebVPN 19-3, 21-3

transform set

creating 6-1, 6-10

definition 1-19

Trusted Flow Acceleration

failover 2-8

modes 2-8

trustpoint, ASA 5505 client 8-7

tunnel

ASA 5505 as Easy VPN client 8-5

IPsec 1-19

security appliance as a tunnel endpoint 1-2

tunnel group

ASA 5505 as Easy VPN client 8-7

configuring 4-6

creating 4-8

default 1-18, 4-1, 4-2

default, remote access, configuring 4-7

default LAN-to-LAN, configuring 4-17

definition 4-1, 4-2

general parameters 4-3

inheritance 4-1

IPSec parameters 4-4

LAN-to-LAN, configuring 4-17

name and type 4-8

remote access, configuring 6-11

remote-access, configuring 4-8

tunnel-group

general attributes 4-3

tunnel-group ISAKMP/IKE keepalive settings 4-4

tunneling, about 1-1

tunnel mode 2-2

U

url-list

group policy attribute for Clientless SSL VPN 4-83

username attribute for Clientless SSL VPN 4-97

user, VPN

definition 4-1

user access, restricting remote 4-92

user authentication, group policy 4-65

username

clientless authentication 7-14

Clientless SSL VPN 18-1

management tunnels 8-9

WebVPN 19-22

Xauth for Easy VPN client 8-4

username attributes

access hours 4-89

configuring 4-87, 4-88

group-lock 4-92

inheritance 4-89

password, setting 4-88

password-storage 4-93

privilege level, setting 4-88

simultaneous logins 4-89

vpn-filter 4-90

vpn-framed-ip-address 4-91

vpn-idle timeout 4-90

vpn-session-timeout 4-90

vpn-tunnel-protocol 4-92

username attributes for Clientless SSL VPN

auto-signon 4-99

customization 4-95

deny message 4-96

filter (access list) 4-96

homepage 4-95

html-content-filter 4-94

keep-alive ignore 4-99

port-forward 4-98

port-forward-name 4-98

sso-server 4-100

url-list 4-97

username configuration, viewing 4-87

username webvpn mode 4-93

U-turn 1-27

V

virtual cluster 3-7

IP address 3-7

master 3-7

VLAN mapping 4-44

VPN

address pool, configuring (group-policy) 4-41

parameters, general, setting 3-1

setting maximum number of IPSec sessions 3-3

VPN Client, IPsec attributes 1-2

vpn-filter username attribute 4-90

vpn-framed-ip-address username attribute 4-91

VPN hardware client, group policy attributes 4-64

vpn-idle-timeout username attribute 4-90

vpn load balancing

See load balancing 3-7

vpn-session-timeout username attribute 4-90

vpn-tunnel-protocol username attribute 4-92

W

web browsing with Clientless SSL VPN 18-4

web e-Mail (Outlook Web Access), Outlook Web Access 16-15

WebVPN

authenticating with digital certificates 19-21, 19-22

client application requirements 19-23

client requirements 19-23

configuring

e-mail 16-14

configuring WebVPN and ASDM on the same interface 15-22

defining the end-user interface 19-1, 21-1

definition 14-1

e-mail 16-14

e-mail proxies 16-14

end user set-up 21-1

floating toolbar 19-3, 21-3

group policy attributes, configuring 17-2

hosts file 22-2

hosts files, reconfiguring 22-2

Java object signing 17-16

security preautions 19-5

security tips 19-23

setting HTTP/HTTPS proxy 15-23

supported applications 19-23

troubleshooting 22-1

use of HTTPS 15-22

usernames and passwords 19-22

use suggestions 18-2, 19-23, 21-1

WebVPN, Application Access Panel 19-2, 21-2

webvpn attributes

group policy 4-79

welcome message, group policy 4-41

WINS server, configuring 4-50

X

Xauth, Easy VPN client 8-4

Z

Zone Labs firewalls 4-76

Zone Labs Integrity Server 4-73