Cisco ASDM User Guide, 6.1
General VPN Setup
Downloads: This chapterpdf (PDF - 833.0KB) The complete bookPDF (PDF - 14.84MB) | Feedback

General

Table Of Contents

General

Client Software

Edit Client Update Entry

Default Tunnel Gateway

Group Policies

Add/Edit External Group Policy

Add AAA Server Group

Adding or Editing a Remote Access Internal Group Policy, General Attributes

Configuring the Portal for a Group Policy

Configuring Customization for a Group Policy

Adding or Editing a Site-to-Site Internal Group Policy

Browse Time Range

Add/Edit Time Range

Add/Edit Recurring Time Range

ACL Manager

Standard ACL

Extended ACL

Add/Edit/Paste ACE

Browse Source/Destination Address

Browse Source/Destination Port

Add TCP Service Group

Browse ICMP

Add ICMP Group

Browse Other

Add Protocol Group

Add/Edit Internal Group Policy > Servers

Add/Edit Internal Group Policy > IPSec Client

Client Access Rules

Add/Edit Client Access Rule

Add/Edit Internal Group Policy > Client Configuration Tab

Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab

View/Config Banner

Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab

Add or Edit Internal Group Policy > Advanced > IE Browser Proxy

Add/Edit Standard Access List Rule

Add/Edit Internal Group Policy > Client Firewall Tab

Add/Edit Internal Group Policy > Hardware Client Tab

Add/Edit Server and URL List

Add/Edit Server or URL

Configuring SSL VPN Connections

Setting the Basic Attributes for an SSL VPN Connection

Setting Advanced Attributes for an IPSec or SSL VPN Connection

Setting General Attributes for an IPSec or SSL VPN Connection

Configuring SSL VPN Client Connections

ACLs

Configuring Clientless SSL VPN Connections

Add or Edit Clientless SSL VPN Connections

Add or Edit Clientless SSL VPN Connections > Basic

Add or Edit Clientless SSL VPN Connections > Advanced

Add or Edit Clientless SSL VPN Connections > Advanced > General

Add or Edit Clientless SSL VPN Connection Profile or IPSec Connection Profiles> Advanced > Authentication

Assign Authentication Server Group to Interface

Add or Edit SSL VPN Connections > Advanced > Authorization

Assign Authorization Server Group to Interface

Add or Edit SSL VPN Connections > Advanced > SSL VPN

Add or Edit Clientless SSL VPN Connections > Advanced > SSL VPN

Add or Edit Clientless SSL VPN Connections > Advanced > Name Servers

Configure DNS Server Groups

Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN

IPSec Remote Access Connection Profiles

Add or Edit an IPSec Remote Access Connection Profile

Add or Edit IPSec Remote Access Connection Profile Basic

Mapping Certificates to IPSec or SSL VPN Connection Profiles

Configure Site-to-Site Tunnel Groups

Add/Edit Site-to-Site Connection

Adding or Editing a Site-to-Site Tunnel Group

Crypto Map Entry

Crypto Map Entry for Static Peer Address

Managing CA Certificates

Install Certificate

Configure Options for CA Certificate

Revocation Check Tab

Add/Edit Remote Access Connections > Advanced > General

Configuring Client Addressing

Add/Edit Tunnel Group > General Tab > Authentication

Add/Edit SSL VPN Connection > General > Authorization

Add/Edit SSL VPN Connections > Advanced > Accounting

Add/Edit Tunnel Group > General > Client Address Assignment

Add/Edit Tunnel Group > General > Advanced

Add/Edit Tunnel Group > IPSec for Remote Access > IPSec

Add/Edit Tunnel Group for Site-to-Site VPN

Add/Edit Tunnel Group > PPP

Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General > Basic

Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec

Add/Edit Tunnel Group > Clientless SSL VPN Access > General > Basic

Add/Edit Tunnel Group > Clientless SSL VPN > Basic

Configuring Internal Group Policy IPSec Client Attributes

Configuring Client Addressing for SSL VPN Connections

Assign Address Pools to Interface

Select Address Pools

Add or Edit an IP Address Pool

Authenticating SSL VPN Connections

System Options

Configuring SSL VPN Connections, Advanced

Configuring Split Tunneling

Zone Labs Integrity Server

Easy VPN Remote

Advanced Easy VPN Properties


General


A virtual private network is a network of virtual circuits that carry private traffic over a public network such as the Internet. VPNs can connect two or more LANS, or remote users to a LAN. VPNs provide privacy and security by requiring all users to authenticate and by encrypting all data traffic.

Client Software

The Client Software pane lets administrators at a central location do the following actions:

Enable client update; specify the types and revision numbers of clients to which the update applies.

Provide a URL or IP address from which to get the update.

In the case of Windows clients, optionally notify users that they should update their VPN client version.


Note The Client Update function at Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > Upload Software > Client Software applies only to the IPSec VPN client, (For Windows, MAC OS X, and Linux), and the VPN 3002 hardware client. It does not apply to the Cisco AnyConnect VPN clients, which is updated by the security appliance automatically when it connects.


For the IPSec VPN client, you can provide a mechanism for users to accomplish that update. For VPN 3002 hardware client users, the update occurs automatically, with no notification. You can apply client updates only to the IPSec remote-access tunnel-group type.


Note If you try to do a client update to an IPSec Site-to-Site IPSec connection or a Clientless VPN IPSec connection, you do not receive an error message, but no update notification or client update goes to those types of IPSec connections.


To enable client update globally for all clients of a particular client type, use this window. You can also notify all Windows, MAC OS X, and Linux clients that an upgrade is needed and initiate an upgrade on all VPN 3002 hardware clients from this window. To configure the client revisions to which the update applies and the URL or IP address from which to download the update, click Edit.

To configure client update revisions and software update sources for a specific tunnel group, see Configuration > Remote Access VPN > Network (Client) Access > IPSec > Add/Edit > Advanced > IPSec > Client Software Update.

Fields

Enable Client Update—Enables or disables client update, both globally and for specific tunnel groups. You must enable client update before you can send a client update notification to Windows, MAC OS X, and Linux VPN clients, or initiate an automatic update to hardware clients.

Client Type—Lists the clients to upgrade: software or hardware, and for Windows software clients, all Windows or a subset. If you click All Windows Based, do not specify Windows 95, 98 or ME and Windows NT, 2000 or XP individually. The hardware client gets updated with a release of the ASA 5505 software or of the VPN 3002 hardware client.

VPN Client Revisions—Contains a comma-separated list of software image revisions appropriate for this client. If the user's client revision number matches one of the specified revision numbers, there is no need to update the client, and, for Windows-based clients, the user does not receive an update notification. The following caveats apply:

The revision list must include the software version for this update.

Your entries must match exactly those on the URL for the VPN client, or the TFTP server for the hardware client.

The TFTP server for distributing the hardware client image must be a robust TFTP server.

A VPN client user must download an appropriate software version from the listed URL.

The VPN 3002 hardware client software is automatically updated via TFTP, with no notification to the user.

Image URL—Contains the URL or IP address from which to download the software image. This URL must point to a file appropriate for this client. For Windows, MAC OS X, and Linux-based clients, the URL must be in the form: http:// or https://. For hardware clients, the URL must be in the form tftp://.

For Windows, MAC OS X, and Linux-based VPN clients: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for HTTP or 443 for HTTPS.

For the hardware client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin

Edit—Opens the Edit Client Update Entry dialog box, which lets you configure or change client update parameters. See Edit Client Update Entry.

Live Client Update—Sends an upgrade notification message to all currently connected VPN clients or selected tunnel group(s).

Tunnel Group—Selects all or specific tunnel group(s) for updating.

Update Now—Immediately sends an upgrade notification containing a URL specifying where to retrieve the updated software to the currently connected VPN clients in the selected tunnel group or all connected tunnel groups. The message includes the location from which to download the new version of software. The administrator for that VPN client can then retrieve the new software version and update the VPN client software.

For VPN 3002 hardware clients, the upgrade proceeds automatically, with no notification.

You must check Enable Client Update in the window for the upgrade to work. Clients that are not connected receive the upgrade notification or automatically upgrade the next time they log on.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit Client Update Entry

The Edit Client Update dialog box lets you change information about VPN client revisions and URLs for the indicated client types. The clients must be running one of the revisions specified for the indicated client type. If not, the clients are notified that an upgrade is required.

Fields

Client Type—(Display-only) Displays the client type selected for editing.

VPN Client Revisions—Lets you type a comma-separated list of software or firmware images appropriate for this client. If the user's client revision number matches one of the specified revision numbers, there is no need to update the client. If the client is not running a software version on the list, an update is in order. The user of a Windows, MAC OS X, or Linux-based VPN client must download an appropriate software version from the listed URL. The VPN 3002 hardware client software is automatically updated via TFTP.

Image URL—Lets you type the URL for the software/firmware image. This URL must point to a file appropriate for this client.

For a Windows, MAC OS X, or Linux-based VPN client, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for HTTP or 443 for HTTPS.

For the hardware client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin

The directory is optional.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Default Tunnel Gateway

To configure the default tunnel gateway, click the Static Route link in this window. The Configuration > Routing > Routing > Static Route window opens.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Group Policies

The Group Policies window lets you manage VPN group policies. A VPN group policy is a collection of user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS or LDAP server. Configuring the VPN group policy lets users inherit attributes that you have not configured at the individual group or username level. By default, VPN users have no group policy association. The group policy information is used by VPN tunnel groups and user accounts.

The "child" windows and dialog boxes let you configure the group parameters, including those for the default group. The default group parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can "inherit" parameters from this default group, and users can "inherit" parameters from their group or the default group. You can override these parameters as you configure groups and users.

You can configure either an internal or an external group policy. An internal group policy is stored locally, and an external group policy is stored externally on a RADIUS or LDAP server.Clicking Edit opens a similar dialog box on which you can create a new group policy or modify an existing one.

In these dialog boxes, you configure the following kinds of parameters:

General attributes: Name, banner, address pools, protocols, filtering, and connection settings.

Servers: DNS and WINS servers, DHCP scope, and default domain name.

Advanced attributes: Split tunneling, IE browser proxy, SSL VPN Client and AnyConnect Client, and IPSec Client.

Before configuring these parameters, you should configure:

Access hours.

Rules and filters.

IPSec Security Associations.

Network lists for filtering and split tunneling

User authentication servers, and specifically the internal authentication server.

Fields

Group Policy—Lists the currently configured group policies and Add, Edit, and Delete buttons to help you manage VPN group policies.

Name—Lists the name of the currently configured group policies.

Type—Lists the type of each currently configured group policy.

Tunneling Protocol—Lists the tunneling protocol that each currently configured group policy uses.

AAA Server Group—Lists the AAA server group, if any, to which each currently configured group policy pertains.

Add—Offers a drop-down menu on which you can select whether to add an internal or an external group policy. If you simply click Add, then by default, you create an internal group policy. Clicking Add opens the Add Internal Group Policy dialog box or the Add External Group Policy dialog box, which let you add a new group policy to the list. This dialog box includes three menu sections. Click each menu item to display its parameters. As you move from item to item, ASDM retains your settings. When you have finished setting parameters on all menu sections, click Apply or Cancel.Offers a drop-down menu on which you can select whether to add an internal or an external group policy. If you simply click Add, then by default, you create an internal group policy.

Edit—Displays the Edit Group Policy dialog box, which lets you modify an existing group policy.

Delete—Lets you remove a AAA group policy from the list. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit External Group Policy

The Add or Edit External Group Policy dialog box lets you configure an external group policy.

Fields

Name—Identifies the group policy to be added or changed. For Edit External Group Policy, this field is display-only.

Server Group—Lists the available server groups to which to apply this policy.

Password—Specifies the password for this server group policy.

New—Opens a dialog box that lets you select whether to create a new RADIUS server group or a new LDAP server group. Either of these options opens the Add AAA Server Group dialog box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add AAA Server Group

The Add AAA Server Group dialog box lets you configure a new AAA server group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

Fields

Server Group—Specifies the name of the server group.

Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group.

Accounting Mode—Indicates whether to use simultaneous or single accounting mode. In single mode, the security appliance sends accounting data to only one server. In simultaneous mode, the security appliance sends accounting data to all servers in the group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

Reactivation Mode—Specifies the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time.

Dead Time—Specifies, for depletion mode, the number of minutes (0 through 1440) that must elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default value is 10 minutes. This field is not available for timed mode.

Max Failed Attempts— Specifies the number (an integer in the range 1 through 5) of failed connection attempts allowed before declaring a nonresponsive server inactive. The default value is 3 attempts.

Adding or Editing a Remote Access Internal Group Policy, General Attributes

The Add or Edit Group Policy window lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Inherit is the default value for all of the attributes on this dialog box.

Fields

The following attributes appear in the Add Internal Group Policy > General window. They apply to SSL VPN and IPSec sessions, or clientless SSL VPN sessions. Thus, several are present for one type of session, but not the other.

Name—Specifies the name of this group policy. For the Edit function, this field is read-only.

Banner—Specifies the banner text to present to users at login. The length can be up to 491 characters. There is no default value.

Address Pools—(Network (Client) Access only) Specifies the name of one or more address pools to use for this group policy.

Select—(Network (Client) Access only) Opens the Select Address Pools window, which shows the pool name, starting and ending addresses, and subnet mask of address pools available for client address assignment and lets you select, add, edit, delete, and assign entries from that list.

More Options—Displays additional configurable options for this group policy.

Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only the selected protocols. The choices are as follows:

Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to establish a secure remote-access tunnel to a security appliance; requires neither a software nor hardware client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.

SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL VPN client.

IPSec—IP Security Protocol. Regarded as the most secure protocol, IPSec provides the most complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and client-to-LAN connections can use IPSec.

L2TP over IPSec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPSec transport mode.


Note If you do not select a protocol, an error message appears.


Filter—(Network (Client) Access only) Specifies which access control list to use, or whether to inherit the value from the group policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. To configure filters and rules, see the Group Policy window.

Web ACL—(Clientless SSL VPN only) Select an access control list (ACL) from the drop-down list if you want to filter traffic. Click Manage next to the list if you want to view, modify, add, or remove ACLs before making a selection.

Manage—Displays the ACL Manager window, with which you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the ACL Manager, see the online Help for that window.

NAC Policy—Selects the name of a Network Admission Control policy to apply to this group policy. You can assign an optional NAC policy to each group policy. The default value is --None--.

Manage—Opens the Configure NAC Policy dialog box. After configuring one or more NAC policies, the NAC policy names appear as options in the drop-down list next to the NAC Policy attribute.

Access Hours—Selects the name of an existing access hours policy, if any, applied to this user or create a new access hours policy. The default value is Inherit, or, if the Inherit check box is not selected, the default value is --Unrestricted--.

Manage—Opens the Browse Time Range dialog box, on which you can add, edit, or delete a time range.

Simultaneous Logins—Specifies the maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum value is 0, which disables login and prevents user access.


Note While there is no maximum limit, allowing several simultaneous connections might compromise security and affect performance.


Restrict Access to VLAN—(Optional) Also called "VLAN mapping," this parameter specifies the egress VLAN interface for sessions to which this group policy applies. The security appliance forwards all traffic on this group to the selected VLAN. Use this attribute to assign a VLAN to the group policy to simplify access control. Assigning a value to this attribute is an alternative to using ACLs to filter traffic on a session. In addition to the default value (Unrestricted), the drop-down list shows only the VLANs that are configured on this security appliance.


Note This feature works for HTTP connections, but not for FTP and CIFS.


Maximum Connect Time—If the Inherit check box is not selected, this parameter specifies the maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 35791394 minutes (over 4000 years). To allow unlimited connection time, select Unlimited (the default).

Idle Timeout—If the Inherit check box is not selected, this parameter specifies this user's idle timeout period in minutes. If there is no communication activity on the user's connection in this period, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080 minutes. The default is 30 minutes. To allow unlimited connection time, select Unlimited. This value does not apply to Clientless SSL VPN users.

On smart card removal—With the default option, Disconnect, the client tears down the connection if the smart card used for authentication is removed. Click Keep the connection if you do not want to require users to keep their smart cards in the computer for the duration of the connection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring the Portal for a Group Policy

The Portal attributes determine what appears on the portal page for members of this group policy establishing Clientless SSL VPN connections. On this pane, you can enable Bookmark lists and URL Entry, file server access, Port Forwarding and Smart Tunnels, ActiveX Relay, and HTTP settings.

Fields

Bookmark List—Select a previously-configured Bookmark list or click Manage to create a new one. Bookmarks appear as links, from which users can navigate from the portal page.

URL Entry—Enable to allow remote users to enter URLs directly into the portal URL field.

File Access Control—Controls the visibility of "hidden shares" for Common Internet File System (CIFS) files. A hidden share is identified by a dollar sign ($) at the end of the share name. For example, drive C is shared as C$. With hidden shares, a shared folder is not displayed, and users are restricted from browsing or accessing these hidden resources.

File Server Entry—Enable to allow remote users to enter the name of a file server.

File Server Browsing—Enable to allow remote users to browse for available file servers.

Hidden Share Access—Enable to hide shared folders.

Port Forwarding Control—Provides users access to TCP-based applications over a Clientless SSL VPN connection through a Java Applet.

Port Forwarding List—Select a previously-configured list TCP applications to associate with this group policy. Click Manage to create a new list or to edit an existing list.

Auto Applet Download—Enables automatic installation and starting of the Applet the first time the user logs in.

Applet Name—Changes the name of the title bar that of the Applet window to the name you designate. By default, the name is Application Access.

Smart Tunnel—Connects a Winsock 2, TCP-based application installed on the end station to a server on the intranet, using a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the security appliance as a proxy server.

Smart Tunnel List—Select the list name from the drop-down menu if you want to provide smart tunnel access. Assigning a smart tunnel list to a group policy or username enables smart tunnel access for all users whose sessions are associated with the group policy or username, but restricts smart tunnel access to the applications specified in the list. To view, add, modify, or delete a smart tunnel list, click the adjacent Manage button.

Auto Start (Smart Tunnel List)—Check to start smart tunnel access automatically upon user login. Uncheck to enable smart tunnel access upon user login, but require the user to start it manually, using the Application Access > Start Smart Tunnels button on the Clientless SSL VPN Portal Page.

Auto Sign-on Server List—Select the list name from the drop-down menu if you want to reissue the user credentials when the user establishes a smart tunnel connection to a server. Each smart tunnel auto sign-on list entry identifies a server with which to automate the submission of user credentials. To view, add, modify, or delete a smart tunnel auto sign-on list, click the adjacent Manage button.

Domain Name (Optional)—Specify the Windows domain to add it to the username during auto sign-on, if the universal naming convention (domain\username) is required for authentication. For example, enter CISCO to specify CISCO\jsmith when authenticating for the username jsmith. You must also check the "Use Windows domain name with user name" option when configuring associated entries in the auto sign-on server list.

ActiveX Relay—Lets Clientless users launch ActiveX from the browser. The applications use the session to download and upload ActiveX controls. The ActiveX relay remains in force until the Clientless SSL VPN session closes.

More Options:

HTTP Proxy—Enables or disables the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser's old proxy configuration automatically and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft Internet Explorer.

Auto Start (HTTP Proxy)—Check to enable HTTP Proxy automatically upon user login. Uncheck to enable smart tunnel access upon user login, but require the user to start it manually.

HTTP Compression—Enables compression of HTTP data over the Clientless SSL VPN session.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Customization for a Group Policy

To configure customization for a group policy, select a preconfigured portal customization object, or accept the customization provided in the default group policy. You can also configure a URL to display

Fields

Portal Customization—Configure a customization object for the end user portal.

Inherit—To inherit a portal customization from the default group policy, click Inherit. To specify a previously configured customization object, deselect Inherit and choose the customization object from the drop-down list.

Manage—Click to import a new customization object.

Homepage URL (optional)— To specify a homepage URL for users associated with the group policy, enter it in this field. To inherit a home page from the default group policy, click Inherit. Clientless users are immediately brought to this page after successful authentication. AnyConnect launces the default web browser to this URL upon successful establishment of the VPN connection. On Linux platforms, AnyConnect does not currently support this field and ignores it.

Access Deny Message—To create a message to users for whom access is denied, enter it in this field. To accept the message in the default group policy, click Inherit.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Adding or Editing a Site-to-Site Internal Group Policy

The Add or Edit Group Policy window lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Inherit is the default value for all of the attributes on this dialog box.

Fields

The following attributes appear in the Add Internal Group Policy > General window. They apply to SSL VPN and IPSec sessions, or clientless SSL VPN sessions. Thus, several are present for one type of session, but not the other.

Name—Specifies the name of this group policy. For the Edit function, this field is read-only.

Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only the selected protocols. The choices are as follows:

Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to establish a secure remote-access tunnel to a security appliance; requires neither a software nor hardware client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.

SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL VPN client.

IPSec—IP Security Protocol. Regarded as the most secure protocol, IPSec provides the most complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and client-to-LAN connections can use IPSec.

L2TP/IPSec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPSec transport mode.


Note If you do not select a protocol, an error message appears.


Filter—(Network (Client) Access only) Specifies which access control list to use, or whether to inherit the value from the group policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. To configure filters and rules, see the Group Policy window.

Manage—Displays the ACL Manager window, with which you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the ACL Manager, see the online Help for that window.

Browse Time Range

Use the Browse Time Range dialog box to add, edit, or delete a time range. A time range is a reusable component that defines starting and ending times that can be applied to a group policy. After defining a time range, you can select the time range and apply it to different options that require scheduling. For example, you can attach an access list to a time range to restrict access to the security appliance. A time range consists of a start time, an end time, and optional recurring (that is, periodic) entries. For more information about time ranges, see the online Help for the Add or Edit Time Range dialog box.

Fields

Add—Opens the Add Time Range dialog box, on which you can create a new time range.


Note Creating a time range does not restrict access to the device.


Edit—Opens the Edit Time Range dialog box, on which you can modify an existing time range. This button is active only when you have selected an existing time range from the Browse Time Range table.

Delete—Removes a selected time range from the Browse Time Range table. There is no confirmation or undo of this action.

Name—Specifies the name of the time range.

Start Time—Specifies when the time range begins.

End Time—Specifies when the time range ends.

Recurring Entries—Specifies further constraints of active time of the range within the start and stop time specified.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Time Range

The Add or Edit Time Range dialog box lets you configure a new time range.

Fields

Time Range Name—Specifies the name that you want to assign to this time range.

Start Time—Defines the time when you want the time range to start.

Start now—Specifies that the time range starts immediately.

Start at—Selects the month, day, year, hour, and minute at which you want the time range to start.

End Time—Defines the time when you want the time range to end.

Never end—Specifies that the time range has no defined end point.

End at (inclusive)—Selects the month, day, year, hour, and minute at which you want the time range to end.

Recurring Time Ranges—Constrains the active time of this time range within the start and end times when the time range is active. For example, if the start time is start now and the end time is never end, and you want the time range to be effective every weekday, Monday through Friday, from 8:00 AM to 5:00 PM, you could configure a recurring time range, specifying that it is to be active weekdays from 08:00 through 17:00, inclusive.

Add—Opens the Add Recurring Time Range dialog box, on which you can configure a recurring time range.

Edit—Opens the Edit Recurring Time Range dialog box, on which you can modify a selected recurring time range.

Delete—Removes a selected recurring time range.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Recurring Time Range

The Add or Edit Recurring Time Range dialog box lets you configure or modify a recurring time range.

Fields

Specify days of the week and times on which this recurring range will be active—Makes available the options in the Days of the week area. For example, use this option when you want the time range to be active only every Monday through Thursday, from 08:00 through 16:59.

Days of the week—Select the days that you want to include in this recurring time range. Possible options are: Every day, Weekdays, Weekends, and On these days of the week. For the last of these, you can select a check box for each day that you want included in the range.

Daily Start Time—Specifies the hour and minute, in 24-hour format, when you want the recurring time range to be active on each selected day.

Daily End Time (inclusive)—Specifies the hour and minute, in 24-hour format, when you want the recurring time range to end on each selected day.

Specify a weekly interval when this recurring range will be active—Makes available the options in the Weekly Interval area. The range extends inclusively through the end time. All times in this area are in 24-hour format. For example, use this option when you want the time range to be active continuously from Monday at 8:00 AM through Friday at 4:30 PM.

From—Selects the day, hour, and minute when you want the weekly time range to start.

Through—Selects the day, hour, and minute when you want the weekly time range to end.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


ACL Manager

The ACL Manager dialog box lets you define access control lists (ACLs) to control the access of a specific host or network to another host/network, including the protocol or port that can be used.

You can configure ACLs (Access Control Lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.

If you do not define any filters, all connections are permitted.

The security appliance supports only an inbound ACL on an interface.

At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry (ACE), the security appliance denies it. ACEs are referred to as rules in this topic.

Standard ACL

This pane provides summary information about standard ACLs, and lets you add or edit ACLs and ACEs.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Edit—Opens the Edit ACE dialog box, on which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, on which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Address—Displays the IP address or URL of the application or service to which the ACE applies.

Action—Specifies whether this filter permits or denies traffic flow.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Extended ACL

This pane provides summary information about extended ACLs, and lets you add or edit ACLs and ACEs.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Edit—Opens the Edit ACE dialog box, on which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, on which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Enabled—Enables or disables a rule. Implicit rules cannot be disabled.

Source—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Destination column. In detail mode (see the Show Detail radio button), an address column might contain an interface name with the word any, such as inside: any. This means that any host on the inside interface is affected by the rule.

Destination—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Source column. An address column might contain an interface name with the word any, such as outside: any. This means that any host on the outside interface is affected by the rule. An address column might also contain IP addresses; for example 209.165.201.1-209.165.201.30. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address.

Service—Names the service and protocol specified by the rule.

Action—Specifies whether this filter permits or denies traffic flow.

Logging —Shows the logging level and the interval in seconds between log messages (if you enable logging for the ACL). To set logging options, including enabling and disabling logging, right-click this column, and choose Edit Log Option. The Log Options window appears.

Time—Specifies the name of the time range to be applied in this rule.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit/Paste ACE

The Add/Edit/Paste ACE dialog box lets you create a new extended access list rule, or modify an existing rule. The Paste option becomes available only when you cut or copy a rule.

Fields

Action—Determines the action type of the new rule. Select either permit or deny.

Permit—Permits all matching traffic.

Deny—Denies all matching traffic.

Source/Destination—Specifies the source or destination type and, depending on that type, the other relevant parameters describing the source or destination host/network IP Address. Possible values are: any, IP address, Network Object Group, and Interface IP. The availability of subsequent fields depends upon the value of the Type field:

any—Specifies that the source or destination host/network can be any type. For this value of the Type field, there are no additional fields in the Source or Destination area.

IP Address—Specifies the source or destination host or network IP address. With this selection, the IP Address, ellipsis button, and Netmask fields become available. Select an IP address or host name from the drop-down list in the IP Address field or click the ellipsis (...) button to browse for an IP address or name. Select a network mask from the drop-down list.

Network Object Group—Specifies the name of the network object group. Select a name from the drop-down list or click the ellipsis (...) button to browse for a network object group name.

Interface IP—Specifies the interface on which the host or network resides. Select an interface from the drop-down list. The default values are inside and outside. There is no browse function.

Protocol and Service—Specifies the protocol and service to which this ACE filter applies. Service groups let you identify multiple non-contiguous port numbers that you want the ACL to match. For example, if you want to filter HTTP, FTP, and port numbers 5, 8, and 9, define a service group that includes all these ports. Without service groups, you would have to create a separate rule for each port.

You can create service groups for TCP, UDP, TCP-UDP, ICMP, and other protocols. A service group with the TCP-UDP protocol contains services, ports, and ranges that might use either the TCP or UDP protocol.

Protocol—Selects the protocol to which this rule applies. Possible values are ip, tcp, udp, icmp, and other. The remaining available fields in the Protocol and Service area depend upon the protocol you select. The next few bullets describe the consequences of each of these selections:

Protocol: TCP and UDP—Selects the TCP/UDP protocol for the rule. The Source Port and Destination Port areas allow you to specify the ports that the ACL uses to match packets.

Source Port/Destination Port—(Available only for TCP and UDP protocols) Specifies an operator and a port number, a range of ports, or a well-known service name from a list of services, such as HTTP or FTP. The operator list specifies how the ACL matches the port. Choose one of the following operators: = (equals the port number), not = (does not equal the port number), > (greater than the port number), < (less than the port number), range (equal to one of the port numbers in the range).

Group—(Available only for TCP and UDP protocols) Selects a source port service group. The Browse (...) button opens the Browse Source Port or Browse Destination Port dialog box.

Protocol: ICMP—Lets you select an ICMP type or ICMP group from a preconfigured list or browse (...) for an ICMP group. The Browse button opens the Browse ICMP dialog box.

Protocol: IP—Specifies the IP protocol for the rule in the IP protocol box. No other fields are available when you make this selection.

Protocol: Other—Lets you select a protocol from a drop-down list, select a protocol group from a drop-down list, or browse for a protocol group. The Browse (...) button opens the Browse Other dialog box.

Rule Flow Diagram—(Display only) Provides a graphical representation of the configured rule flow. This same diagram appears on the ACL Manager dialog box unless you explicitly close that display.

Options—Sets optional features for this rule, including logging parameters, time ranges, and description.

Logging—Enables or disables logging or specifies the use of the default logging settings. If logging is enabled, the Syslog Level and Log Interval fields become available.

Syslog Level—Selects the level of logging activity. The default is Informational.

Log Interval—Specifies the interval for permit and deny logging. The default is 300 seconds. The range is 1 through 6000 seconds.

Time Range—Selects the name of the time range to use with this rule. The default is (any). Click the Browse (...) button to open the Browse Time Range dialog box to select or add a time range.

Description—(Optional) Provides a brief description of this rule. A description line can be up to 100 characters long, but you can break a description into multiple lines.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse Source/Destination Address

The Browse Source or Destination Address dialog box lets you select an object to use a s a source or destination for this rule.

Fields

Type—Determines the type of object to use as the source or destination for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Source/Destination Object Table—Displays the objects from which you can select a source or destination object. If you select All in the type field, each category of object appears under its own heading. The table has the following headings:

Name—Displays the network name (which may be an IP address) for each object.

IP address—Displays the IP address of each object.

Netmask—Displays the network mask to use with each object.

Description—Displays the description entered in the Add/Edit/Paste Extended Access List Rule dialog box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse Source/Destination Port

The Browse Source or Destination Port dialog box lets you select a source or destination port for this protocol in this rule.

Fields

Add—Opens the Add TCP Service Group dialog box, on which you can configure a new TCP service group.

Find—Opens the Filter field.

Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

Type—Determines the type of object to use as the source or destination for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Name—Lists the predefined protocols and service groups for your selection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add TCP Service Group

The Add TCP Service Group dialog box lets you configure a new a TCP service group or port to add to the browsable source or destination port list for this protocol in this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.

Fields

Group Name—Specifies the name of the new TCP service group.

Description—(Optional) Provides a brief description of this group.

Members not in Group—Presents the option to select either a service/service group or a port number to add to the Members in Group list.

Service/Service Group—Selects the option to select the name of a TCP service or service group to add to the Members in Group list.

Port #—Selects the option to specify a range of port numbers to add to the Members in Group list.

Add—Moves a selected item from the Members not in Group list to the Members in Group list.

Remove—Moves a selected item from the Members in Group list to the Members not in Group list.

Members in Group—Lists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse ICMP

The Browse ICMP dialog box lets you select an ICMP group for this rule.

Fields

Add—Opens the Add ICMP Group dialog box, on which you can configure a new TCP service group.

Find—Opens the Filter field.

Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

Type—Determines the type of object to use as the ICMP group for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Name—Lists the predefined ICMP groups for your selection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add ICMP Group

The Add ICMP Group dialog box lets you configure a new a ICMP group by name or by number to add to the browsable ICMP list for this protocol in this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.

Fields

Group Name—Specifies the name of the new TCP service group.

Description—(Optional) Provides a brief description of this group.

Members not in Group—Presents the option to select either an ICMP type/ICMP group or an ICMP number to add to the Members in Group list.

ICMP Type/ICMP Group—Selects the option to select the name of an ICMP group to add to the Members in Group list.

ICMP #—Selects the option to specify an ICMP member by number to add to the Members in Group list.

Add—Moves a selected item from the Members not in Group list to the Members in Group list.

Remove—Moves a selected item from the Members in Group list to the Members not in Group list.

Members in Group—Lists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse Other

The Browse Other dialog box lets you select a protocol group for this rule.

Fields

Add—Opens the Add Protocol Group dialog box, on which you can configure a new service group.

Find—Opens the Filter field.

Filter/Clear—Specifies a filter criterion that you can use to search for items in the Name list, thus displaying only those items that match that criterion. When you make an entry in the Filter field, the Filter button becomes active. Clicking the Filter button performs the search. After you perform the search, the Filter button is dimmed, and the Clear button becomes active. Clicking the Clear button clears the filter field and dims the Clear button.

Type—Determines the type of object to use as the protocol group for this rule. Selections are IP Address Objects, IP Names, Network Object Groups, and All. The contents of the table following this field change, depending upon your selection.

Name—Lists the predefined protocol groups for your selection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add Protocol Group

The Add Protocol Group dialog box lets you configure a new a protocol group by name or by number to add to the browsable protocol list for this rule. Selecting a member of either the Members not in Group or the Members in Group list activates the Add and Remove buttons.

Fields

Group Name—Specifies the name of the new TCP service group.

Description—(Optional) Provides a brief description of this group.

Members not in Group—Presents the option to select either a protocol/protocol group or a protocol number to add to the Members in Group list.

Protocol/Protocol Group—Selects the option to select the name of a protocol or protocol group to add to the Members in Group list.

Protocol #—Selects the option to specify a protocol by number to add to the Members in Group list.

Add—Moves a selected item from the Members not in Group list to the Members in Group list.

Remove—Moves a selected item from the Members in Group list to the Members not in Group list.

Members in Group—Lists the members already configured in this service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Servers

The Add or Edit Group Policy window, Servers item lets you specify DNS and WINS servers, as well as the DHCP scope and default domain.

Add/Edit Internal Group Policy > IPSec Client

The Add or Edit Group Policy > IPSec dialog box lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified.

Fields

Re-Authentication on IKE Re-key—Enables or disables reauthentication when IKE re-key occurs, unless the Inherit check box is selected. The user has 30 seconds to enter credentials, and up to three attempts before the SA expires at approximately two minutes and the tunnel terminates.

Enable extended reauth-on-rekey to allow entry of authentication credentials until SA expiry—Allow users the time to reenter authentication credentials until the maximum lifetime of the configured SA.

IP Compression—Enables or disables IP Compression, unless the Inherit check box is selected.

Perfect Forward Secrecy—Enables or disables perfect forward secrecy (PFS), unless the Inherit check box is selected. PFS ensures that the key for a given IPSec SA was not derived from any other secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If PFS were not enabled, someone could hypothetically break the IKE SA secret key, copy all the IPSec protected data, and then use knowledge of the IKE SA secret to compromise the IPSec SAs set up by this IKE SA. With PFS, breaking IKE would not give an attacker immediate access to IPSec. The attacker would have to break each IPSec SA individually.

Store Password on Client System—Enables or disables storing the password on the client system.


Note Storing the password on a client system can constitute a potential security risk.


IPSec over UDP—Enables or disables using IPSec over UDP.

IPSec over UDP Port—Specifies the UDP port to use for IPSec over UDP.

Tunnel Group Lock—Enables locking the tunnel group you select from the list, unless the Inherit check box or the value None is selected.

IPSec Backup Servers—Activates the Server Configuration and Server IP Addresses fields, so you can specify the UDP backup servers to use if these values are not inherited.

Server Configuration—Lists the server configuration options to use as an IPSec backup server. The available options are: Keep Client Configuration (the default), Use the Backup Servers Below, and Clear Client Configuration.

Server Addresses (space delimited)—Specifies the IP addresses of the IPSec backup servers. This field is available only when the value of the Server Configuration selection is Use the Backup Servers Below.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Client Access Rules

The table on this dialog box lets you view up to 25 client access rules. If you deselect the Inherit check box, the Add, Edit, and Delete buttons become active and the following column headings appear in the table:

Priority—Shows the priority for this rule.

Action—Specifies whether this rule permits or denies access.

Client Type—Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset.

VPN Client Version—Specifies the version or versions of the VPN client to which this rule applies. This box contains a comma-separated list of software or firmware images appropriate for this client.

Modes

The following table shows the modes in which this feature is available:

Add/Edit Client Access Rule

The Add or Edit Client Access Rule dialog box adds a new client access rule for an IPSec group policy or modifies an existing rule.

Fields

Priority—Shows the priority for this rule.

Action—Specifies whether this rule permits or denies access.

VPN Client Type—Specifies the type of VPN client to which this rule applies, software or hardware, and for software clients, all Windows clients or a subset. Some common values for VPN Client Type include VPN 3002, PIX, Linux, * (matches all client types), Win9x (matches Windows 95, Windows 98, and Windows ME), and WinNT (matches Windows NT, Windows 2000, and Windows XP). If you choose *, do not configure individual Windows types such as Windows NT.

VPN Client Version—Specifies the version or versions of the VPN client to which this rule applies. This box contains a comma-separated list of software or firmware images appropriate for this client. The following caveats apply:

You must specify the software version for this client. You can specify * to match any version.

Your entries must match exactly those on the URL for the VPN client, or the TFTP server for the VPN 3002.

The TFTP server for distributing the hardware client image must be a robust TFTP server.

If the client is already running a software version on the list, it does not need a software update. If the client is not running a software version on the list, an update is in order.

A VPN client user must download an appropriate software version from the listed URL.

The VPN 3002 hardware client software is automatically updated via TFTP.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Client Configuration Tab

The Add or Edit Group Policy window, Client Configuration tab contains three tabs that let you configure general client parameters, Cisco client parameters, and Microsoft client parameters.

For information about the individual tabs, see the following links:

Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab

Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab

Add or Edit Internal Group Policy > Advanced > IE Browser Proxy

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab

This tab configures client attributes that are common across both Cisco and Microsoft clients, including the banner text, default domain, split tunnel parameters, and address pools.


Note The AnyConnect VPN Client and the SSL VPN Client do not support split DNS.


Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy. Deselecting the Inherit check box makes other options available for the parameter. This is the default option for all attributes on this tab.

Banner—Specifies whether to inherit the banner from the default group policy or enter new banner text. For more information, see View/Config Banner

Edit Banner—Displays the View/Config Banner dialog box, in which you can enter banner text, up to 500 characters.

Default Domain—Specifies whether to inherit the default domain from the default group policy or use a new default domain specified in the field.

Split Tunnel DNS Names (space delimited)—Specifies whether to inherit the split-tunnel DNS names or from the default group policy or specify a new name or list of names in the field.

Split Tunnel Policy—Specifies whether to inherit the split-tunnel policy from the default group policy or select a policy from the menu. The menu options are to tunnel all networks, tunnel those in the network list below, or exclude those in the network list below.

Split Tunnel Network List—Specifies whether to inherit the split-tunnel network list from the default group policy or select from the drop-down list.

Manage—Opens the ACL Manager dialog box, on which you can manage standard and extended access control lists.

Address Pools—Configures the address pools available through this group policy.

Available Pools—Specifies a list of address pools for allocating addresses to remote clients. Deselecting the Inherit check box with no address pools in the Assigned Pools list indicates that no address pools are configured and disables inheritance from other sources of group policy.

Add—Moves the name of an address pool from the Available Pools list to the Assigned Pools list.

Remove—Moves the name of an address pool from the Assigned Pools list to the Available Pools list.

Assigned Pools (up to 6 entries)—Lists the address pools you have added to the assigned pools list. The address-pools settings in this table override the local pool settings in the group. You can specify a list of up to six local address pools to use for local address allocation. The order in which you specify the pools is significant. The security appliance allocates addresses from these pools in the order in which the pools appear in this command.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


View/Config Banner

The View/Config Banner dialog box lets you enter into the text box up to 500 characters of text to be displayed as a banner for the specified client.


Note A carriage return/line feed, created by pressing Enter, counts as 2 characters.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab

This tab configures client attributes that are specific to Cisco clients, including password storage, enabling or disabling IPSec over UDP and setting the UDP port number, and configuring IPSec backup servers.

Fields

Store Password on Client System—Enables or disables storing the password on the client system.


Note Storing the password on a client system can constitute a potential security risk.


IPSec over UDP—Enables or disables using IPSec over UDP.

IPSec over UDP Port—Specifies the UDP port to use for IPSec over UDP.

IPSec Backup Servers—Activates the Server Configuration and Server IP Addresses fields, so you can specify the UDP backup servers to use if these values are not inherited.

Server Configuration—Lists the server configuration options to use as an IPSec backup server. The available options are: Keep Client Configuration (the default), Use the Backup Servers Below, and Clear Client Configuration.

Server Addresses (space delimited)—Specifies the IP addresses of the IPSec backup servers. This field is available only when the value of the Server Configuration selection is Use the Backup Servers Below.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add or Edit Internal Group Policy > Advanced > IE Browser Proxy

This dialog box configures attributes for Microsoft Internet Explorer.

Fields

Proxy Server Policy—Configures the Microsoft Internet Explorer browser proxy actions ("methods") for a client PC.

Do not modify client proxy settings—Leaves the HTTP browser proxy server setting in Internet Explorer unchanged for this client PC.

Do not use proxy—Disables the HTTP proxy setting in Internet Explorer for the client PC.

Select proxy server settings from the following—Enables the following check boxes for your selections: Auto detect proxy, Use proxy server settings given below, and Use proxy auto configuration (PAC) given below.

Auto detect proxy—Enables the use of automatic proxy server detection in Internet Explorer for the client PC.

Use proxy server settings specified below—Sets the HTTP proxy server setting in Internet Explorer to use the value configured in the Proxy Server Name or IP Address field.

Use proxy auto configuration (PAC) given below—Specifies the use of the file specified in the Proxy Auto Configuration (PAC) field as the source for auto configuration attributes.

Proxy Server Settings—Configures the proxy server parameters for Microsoft clients using Microsoft Internet Explorer.

Server Address and Port—Specifies the IP address or name and the port of an Microsoft Internet Explorer server that is applied for this client PC.

Bypass Proxy Server for Local Addresses— Configures Microsoft Internet Explorer browser proxy local-bypass settings for a client PC. Select Yes to enable local bypass or No to disable local bypass.

Exception List—Lists the server names and IP addresses that you want to exclude from proxy server access. Enter the list of addresses that you do not want to have accessed through a proxy server. This list corresponds to the Exceptions box in the Proxy Settings dialog box in Internet Explorer.

PAC URL—Specifies the URL of the auto-configuration file. This file tells the browser where to look for proxy information. To use the proxy auto-configuration (PAC) feature, the remote user must use the Cisco AnyConnect VPN Client.

Many network environments define HTTP proxies that connect a web browser to a particular network resource. The HTTP traffic can reach the network resource only if the proxy is specified in the browser and the client routes the HTTP traffic to the proxy. SSLVPN tunnels complicate the definition of HTTP proxies because the proxy required when tunneled to an enterprise network can differ from that required when connected to the Internet via a broadband connection or when on a third-party network.

In addition, companies with large networks might need to configure more than one proxy server and let users choose between them, based on transient conditions. By using .pac files, an administrator can author a single script file that determines which of numerous proxies to use for all client computers throughout the enterprise.

The following are some examples of how you might use a PAC file:

Choosing a proxy at random from a list for load balancing.

Rotating proxies by time of day or day of the week to accommodate a server maintenance schedule.

Specifying a backup proxy server to use in case the primary proxy fails.

Specifying the nearest proxy for roaming users, based on the local subnet.

You can use a text editor to create a proxy auto-configuration (.pac) file for your browser. A .pac file is a JavaScript file that contains logic that specifies one or more proxy servers to be used, depending on the contents of the URL. Use the PAC URL field to specify the URL from which to retrieve the .pac file. Then the browser uses the .pac file to determine the proxy settings. For details about .pac files, see the following Microsoft Knowledge Base article: http://www.microsoft.com/mind/0599/faq/faq0599.asp.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Standard Access List Rule

The Add/Edit Standard Access List Rule dialog box lets you create a new rule, or modify an existing rule.

Fields

Action—Determines the action type of the new rule. Select either permit or deny.

Permit—Permits all matching traffic.

Deny—Denies all matching traffic.

Host/Network IP Address—Identifies the networks by IP address.

IP address—The IP address of the host or network.

Mask—The subnet mask of the host or network

Description—(Optional) Enter a description of the access rule.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Client Firewall Tab

The Add or Edit Group Policy window, Client Firewall tab, lets you configure firewall settings for VPN clients for the group policy being added or modified.


Note Only VPN clients running Microsoft Windows can use these firewall features. They are currently not available to hardware clients or other (non-Windows) software clients.


A firewall isolates and protects a computer from the Internet by inspecting each inbound and outbound individual packet of data to determine whether to allow or drop it. Firewalls provide extra security if remote users in a group have split tunneling configured. In this case, the firewall protects the user's PC, and thereby the corporate network, from intrusions by way of the Internet or the user's local LAN. Remote users connecting to the security appliance with the VPN client can choose the appropriate firewall option.

In the first scenario, a remote user has a personal firewall installed on the PC. The VPN client enforces firewall policy defined on the local firewall, and it monitors that firewall to make sure it is running. If the firewall stops running, the VPN client drops the connection to the security appliance. (This firewall enforcement mechanism is called Are You There (AYT), because the VPN client monitors the firewall by sending it periodic "are you there?" messages; if no reply comes, the VPN client knows the firewall is down and terminates its connection to the security appliance.) The network administrator might configure these PC firewalls originally, but with this approach, each user can customize his or her own configuration.

In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the Internet while tunnels are established. This firewall scenario is called push policy or Central Protection Policy (CPP). On the security appliance, you create a set of traffic management rules to enforce on the VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security appliance pushes this policy down to the VPN client. The VPN client then in turn passes the policy to the local firewall, which enforces it.

Fields

Inherit—Determines whether the group policy obtains its client firewall setting from the default group policy. This option is the default setting. When set, it overrides the remaining attributes in this tab and dims their names.

Client Firewall Attributes—Specifies the client firewall attributes, including what type of firewall (if any) is implemented and the firewall policy for that firewall.

Firewall Setting—Lists whether a firewall exists, and if so, whether it is required or optional. If you select No Firewall (the default), none of the remaining fields on this window are active. If you want users in this group to be firewall-protected, select either the Firewall Required or Firewall Optional setting.

If you select Firewall Required, all users in this group must use the designated firewall. The security appliance drops any session that attempts to connect without the designated, supported firewall installed and running. In this case, the security appliance notifies the VPN client that its firewall configuration does not match.


Note If you require a firewall for a group, make sure the group does not include any clients other than Windows VPN clients. Any other clients in the group (including ASA 5505 in client mode and VPN 3002 hardware clients) are unable to connect.


If you have remote users in this group who do not yet have firewall capacity, choose Firewall Optional. The Firewall Optional setting allows all the users in the group to connect. Those who have a firewall can use it; users that connect without a firewall receive a warning message. This setting is useful if you are creating a group in which some users have firewall support and others do not—for example, you may have a group that is in gradual transition, in which some members have set up firewall capacity and others have not yet done so.

Firewall Type—Lists firewalls from several vendors, including Cisco. If you select Custom Firewall, the fields under Custom Firewall become active. The firewall you designate must correlate with the firewall policies available. The specific firewall you configure determines which firewall policy options are supported.

Custom Firewall—Specifies the vendor ID, Product ID and description for the custom firewall.

Vendor ID—Specifies the vendor of the custom firewall for this group policy.

Product ID—Specifies the product or model name of the custom firewall being configured for this group policy.

Description—(Optional) Describes the custom firewall.

Firewall Policy—Specifies the type and source for the custom firewall policy.

Policy defined by remote firewall (AYT)—Specifies that the firewall policy is defined by the remote firewall (Are You There). Policy defined by remote firewall (AYT) means that remote users in this group have firewalls located on their PCs. The local firewall enforces the firewall policy on the VPN client. The security appliance allows VPN clients in this group to connect only if they have the designated firewall installed and running. If the designated firewall is not running, the connection fails. Once the connection is established, the VPN client polls the firewall every 30 seconds to make sure that it is still running. If the firewall stops running, the VPN client ends the session.

Policy pushed (CPP)—Specifies that the policy is pushed from the peer. If you select this option, the Inbound Traffic Policy and Outbound Traffic Policy lists and the Manage button become active.The security appliance enforces on the VPN clients in this group the traffic management rules defined by the filter you choose from the Policy Pushed (CPP) drop-down menu. The choices available on the menu are filters defined on this security appliance, including the default filters. Keep in mind that the security appliance pushes these rules down to the VPN client, so you should create and define these rules relative to the VPN client, not the security appliance. For example, "in" and "out" refer to traffic coming into the VPN client or going outbound from the VPN client. If the VPN client also has a local firewall, the policy pushed from the security appliance works with the policy of the local firewall. Any packet that is blocked by the rules of either firewall is dropped.

Inbound Traffic Policy—Lists the available push policies for inbound traffic.

Outbound Traffic Policy—Lists the available push policies for outbound traffic.

Manage—Displays the ACL Manager window, on which you can configure Access Control Lists (ACLs).

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Internal Group Policy > Hardware Client Tab

The Add or Edit Group Policy > Hardware Client dialog box lets you configure settings for the VPN 3002 hardware client for the group policy being added or modified. The Hardware Client tab parameters do not pertain to the ASA 5505 in client mode.

Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for all attributes in this tab.

Require Interactive Client Authentication—Enables or disables the requirement for interactive client authentication. This parameter is disabled by default. Interactive hardware client authentication provides additional security by requiring the VPN 3002 to authenticate with a username and password that you enter manually each time the VPN 3002 initiates a tunnel. With this feature enabled, the VPN 3002 does not have a saved username and password. When you enter the username and password, the VPN 3002 sends these credentials to the security appliance to which it connects. The security appliance facilitates authentication, on either the internal or an external authentication server. If the username and password are valid, the tunnel is established.

When you enable interactive hardware client authentication for a group, the security appliance pushes that policy to the VPN 3002s in the group. If you have previously set a username and password on the VPN 3002, the software deletes them from the configuration file. When you try to connect, the software prompts you for a username and password.

If, on the security appliance, you subsequently disable interactive hardware authentication for the group, it is enabled locally on the VPN 3002s, and the software continues to prompt for a username and password. This lets the VPN 3002 connect, even though it lacks a saved username and password, and the security appliance has disabled interactive hardware client authentication. If you subsequently configure a username and password, the feature is disabled, and the prompt no longer appears. The VPN 3002 connects to the security appliance using the saved username and password.

Require Individual User Authentication—Enables or disables the requirement for individual user authentication for users behind ASA 5505 in client mode or the VPN 3002 hardware client in the group. To display a banner to hardware clients in a group, individual user authentication must be enabled. This parameter is disabled by default.

Individual user authentication protects the central site from access by unauthorized persons on the private network of the hardware client. When you enable individual user authentication, each user that connects through a hardware client must open a web browser and manually enter a valid username and password to access the network behind the security appliance, even though the tunnel already exists.


Note You cannot use the command-line interface to log in if user authentication is enabled. You must use a browser.


If you have a default home page on the remote network behind the security appliance, or if you direct the browser to a website on the remote network behind the security appliance, the hardware client directs the browser to the proper pages for user login. When you successfully log in, the browser displays the page you originally entered.

If you try to access resources on the network behind the security appliance that are not web-based, for example, e-mail, the connection fails until you authenticate using a browser.

To authenticate, you must enter the IP address for the private interface of the hardware client in the browser Location or Address field. The browser then displays the login screen for the hardware client. To authenticate, click the Connect/Login Status button.

One user can log in for a maximum of four sessions simultaneously. Individual users authenticate according to the order of authentication servers configured for a group.

User Authentication Idle Timeout—Configures a user timeout period. The security appliance terminates the connection if it does not receive user traffic during this period. You can specify that the timeout period is a specific number of minutes or unlimited.

Unlimited—Specifies that the connection never times out. This option prevents inheriting a value from a default or specified group policy.

Minutes—Specifies the timeout period in minutes. Use an integer between 1 and 35791394. The default value is Unlimited.

Note that the idle timeout indicated in response to the show uauth command is always the idle timeout value of the user who authenticated the tunnel on the Cisco Easy VPN remote device.

Cisco IP Phone Bypass—Lets Cisco IP phones bypass the interactive individual user authentication processes. If enabled, interactive hardware client authentication remains in effect. Cisco IP Phone Bypass is disabled by default.


Note You must configure the ASA 5505 in client mode or the VPN 3002 hardware client to use network extension mode for IP phone connections.


LEAP Bypass—Lets LEAP packets from Cisco wireless devices bypass the individual user authentication processes (if enabled). LEAP Bypass lets LEAP packets from devices behind a hardware client travel across a VPN tunnel prior to individual user authentication. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per individual user authentication (if enabled). LEAP Bypass is disabled by default.


Note This feature does not work as intended if you enable interactive hardware client authentication.


IEEE 802.1X is a standard for authentication on wired and wireless networks. It provides wireless LANs with strong mutual authentication between clients and authentication servers, which can provide dynamic per-user, per-session wireless encryption privacy (WEP) keys, removing administrative burdens and security issues that are present with static WEP keys.

Cisco Systems has developed an 802.1X wireless authentication type called Cisco LEAP. LEAP implements mutual authentication between a wireless client on one side of a connection and a RADIUS server on the other side. The credentials used for authentication, including a password, are always encrypted before they are transmitted over the wireless medium.


Note Cisco LEAP authenticates wireless clients to RADIUS servers. It does not include RADIUS accounting services.


LEAP users behind a hardware client have a circular dilemma: they cannot negotiate LEAP authentication because they cannot send their credentials to the RADIUS server behind the central site device over the tunnel. The reason they cannot send their credentials over the tunnel is that they have not authenticated on the wireless network. To solve this problem, LEAP Bypass lets LEAP packets, and only LEAP packets, traverse the tunnel to authenticate the wireless connection to a RADIUS server before individual users authenticate. Then the users proceed with individual user authentication.

LEAP Bypass works as intended under the following conditions:

The interactive unit authentication feature (intended for wired devices) must be disabled. If interactive unit authentication is enabled, a non-LEAP (wired) device must authenticate the hardware client before LEAP devices can connect using that tunnel.

Individual user authentication is enabled (if it is not, you do not need LEAP Bypass).

Access points in the wireless environment must be Cisco Aironet Access Points. The wireless NIC cards for PCs can be other brands.

The Cisco Aironet Access Point must be running Cisco Discovery Protocol (CDP).

The ASA 5505 or VPN 3002 can operate in either client mode or network extension mode.

LEAP packets travel over the tunnel to a RADIUS server via ports 1645 or 1812.


Note Allowing any unauthenticated traffic to traverse the tunnel might pose a security risk.


Allow Network Extension Mode—Restricts the use of network extension mode on the hardware client. Select the option to let hardware clients use network extension mode. Network extension mode is required for the hardware client to support IP phone connections, because the Call Manager can communicate only with actual IP addresses.


Note If you disable network extension mode, the default setting, the hardware client can connect to this security appliance in PAT mode only. If you disallow network extension mode here, be careful to configure all hardware clients in a group for PAT mode. If a hardware client is configured to use network extension mode and the security appliance to which it connects disables network extension mode, the hardware client attempts to connect every 4 seconds, and every attempt is rejected. In this situation, the hardware client puts an unnecessary processing load on the security appliance to which it connects; large numbers of hardware clients that are misconfigured in this way reduces the ability of the security appliance to provide service.


Modes

The following table shows the modes in which this feature is available:

Add/Edit Server and URL List

The Add or Edit Server and URL List dialog box lets you add, edit, delete, and order the items in the designated URL list.

Fields

List Name—Specifies the name of the list to be added or selects the name of the list to be modified or deleted.

URL Display Name—Specifies the URL name displayed to the user.

URL—Specifies the actual URL associated with the display name.

Add—Opens the Add Server or URL dialog box, on which you can configure a new server or URL and display name.

Edit—Opens the Edit Server or URL dialog box, on which you can configure a new server or URL and display name.

Delete—Removes the selected item from the server and URL list. There is no confirmation or undo.

Move Up/Move Down—Changes the position of the selected item in the server and URL list.

Add/Edit Server or URL

The Add or Edit Server or URL dialog box lets you add or edit, delete, and order the items in the designated URL list.

Fields

URL Display Name—Specifies the URL name displayed to the user.

URL—Specifies the actual URL associated with the display name.

Configuring SSL VPN Connections

Use this window and its child windows to specify SSL VPN connection attributes for client-based connections. These attributes apply to the Cisco AnyConnect VPN Client and to the legacy SSL VPN Client.

On the main window, you can enable client access on the interfaces you select and you can select, add, edit, and delete connections (tunnel groups). You can also specify whether you want to allow a user to select a particular connection at login.

Fields

Access Interfaces—Specify SSL VPN client access for each interface listed in the table:

Enable Cisco AnyConnect VPN Client or legacy SSL VPN Client access on the interfaces in the table below—Enables access on the interfaces that have "Allow Access" checked.

Interface—The interface to enable SSL VPN Client connections.

Allow Access—Check to allow access.

Require Client Certificate—Check to require a valid certificate from the client before allowing connection.

Enable DTLS—Check to enable Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

Access Port—Specify the port for SSL VPN Client connections.

DTLS Port—Specify the port for DTLS connections.

Connection Profiles—Configure protocol-specific attributes for connections (tunnel groups).

Add/Edit—Click to Add or Edit a Connection Profile (tunnel group).

Name—The name of the Connection Profile.

Aliases—Other names by which the Connection Profile is known.

SSL VPN Client Protocol—Specifies whether SSL VPN client have access.

Group Policy—Shows the default group policy for this Connection Profile.

Allow user to select connection, identified by alias in the table above, at login page—Check to enable the display of Connection Profile (tunnel group) aliases on the Login page.

Setting the Basic Attributes for an SSL VPN Connection

To set the basic attributes for an SSL VPN connection, choose Configuration > Remote Access VPN > Network (Client) Access > SSL VPN Connections > Add or Edit > Basic. The Add SSL VPN Connection (Basic) window opens.

Fields

Set the attributes in the Add SSL VPN Connection (Basic) window as follows:

Aliases—(Optional) Enter one or more alternative names for the connection. You can spaces or punctuation to separate the names.

Authentication—Choose one of the following methods to use to authenticate the connection: AAA, Certificate, or Both.

AAA Server Group—Choose a AAA server group from the drop-down list. The default setting is LOCAL, which specifies that the security appliance handles the authentication. Before making a selection, you can click Manage to open a dialog box over this window to view or make changes to the security appliance configuration of AAA server groups.

Selecting something other than LOCAL makes available the Use LOCAL if Server Group Fails check box.

Use LOCAL if Server Group fails—Check to enable or uncheck to disable the LOCAL database if the group specified by the Authentication Server Group attribute fails.

DHCP Servers—Enter the name or IP address of a DHCP server to use.

Client Address Pools—Enter the pool name of an available, configured pool of IP addresses to use for client address assignment. Before making a selection, you can click Select to open a dialog box over this window to view or make changes to the address pools.

Group Policy—Select the VPN group policy that you want to assign as the default group policy for this connection. A VPN group policy is a collection of user-oriented attribute-value pairs that can be stored internally on the device or externally on a RADIUS server. The default value is DfltGrpPolicy. You can click Manage to open a dialog box over this one to make changes to the group policy configuration.

SSL VPN Client Protocol—Check Enabled to enable SSL VPN for uncheck to disable it.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Setting Advanced Attributes for an IPSec or SSL VPN Connection

Use the advanced attributes to fine-tune the parameters of the IPSec or SSL VPN connection.

Setting General Attributes for an IPSec or SSL VPN Connection

Choose Advanced > General in the Add IPsec Remote Access Connection or Add SSL VPN Connection to specify whether to strip the realm and group from the username before passing them to the AAA server, and to set the password management parameters.

Fields

Set the attributes in this window Add IPsec Remote Access Connection or Add SSL VPN Connection (General) window as follows:

Strip the realm from username before passing it on to the AAA server—Enables or disables stripping the realm (administrative domain) from the username before passing the username on to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username during authentication. You can append the realm name to the username for AAA: authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.


Note You can append both the realm and the group to a username, in which case the security appliance uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the security appliance cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.


Strip the group from the username before passing it on to the AAA server—Enables or disables stripping the group name from the username before passing the username on to the AAA server. Check Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked Enable Group Lookup. When you append a group name to a username using a delimiter, and enable Group Lookup, the security appliance interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.

The security appliance supports password management for the RADIUS and LDAP protocols. It supports the "password-expire-in-days" option only for LDAP. This parameter is valid for AAA servers that support such notification. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

You can configure password management for IPSec remote access and SSL VPN tunnel-groups.


Note Some RADIUS servers that support MSCHAP currently do not support MSCHAPv2. This feature requires MSCHAPv2, so please check with your vendor.


The security appliance, releases 7.1 and later, generally supports password management for the following connection types when authenticating with LDAP or with any RADIUS configuration that supports MS-CHAPv2:

AnyConnect VPN Client

IPSec VPN Client

Clientless SSL VPN

Password management is not supported for any of these connection types for Kerberos/Active Directory (Windows password) or NT 4.0 Domain. The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another authentication server. However, from the security appliance perspective, it is talking only to a RADIUS server.


Note For LDAP, the method to change a password is proprietary for the different LDAP servers on the market. Currently, the security appliance implements the proprietary password management logic only for Microsoft Active Directory and Sun LDAP servers.


Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to do password management for LDAP. By default, LDAP uses port 636.

Override account-disabled indication from AAA server—Overrides an account-disabled indication from a AAA server.


Note Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change password—Checking this attribute makes the following two parameters available. You can select either to notify the user at login a specific number of days before the password expires or to notify the user only on the day that the password expires. The default is to notify the user 14 days prior to password expiration and every day thereafter until the user changes the password. The range is 1 through 180 days.

In either case, and, if the password expires without being changed, the security appliance offers the user the opportunity to change the password. If the current password has not expired, the user can still log in using that password.


Note This does not change the number of days before the password expires, but rather, it enables the notification. If you select this option, you must also specify the number of days.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring SSL VPN Client Connections

The Cisco AnyConnect VPN Client provides secure SSL connections to the security appliance for remote users. The client gives remote users the benefits of an SSL VPN client without the need for network administrators to install and configure clients on remote computers.

Without a previously-installed client, remote users enter the IP address in their browser of an interface configured to accept SSL VPN connections. Unless the security appliance is configured to redirect http:// requests to https://, users must enter the URL in the form https://<address>.

After entering the URL, the browser connects to that interface and displays the login screen. If the user satisfies the login and authentication, and the security appliance identifies the user as requiring the client, it downloads the client that matches the operating system of the remote computer. After downloading, the client installs and configures itself, establishes a secure SSL connection and either remains or uninstalls itself (depending on the security appliance configuration) when the connection terminates.

In the case of a previously installed client, when the user authenticates, the security appliance examines the revision of the client, and upgrades the client as necessary.

When the client negotiates an SSL VPN connection with the security appliance, it connects using Transport Layer Security (TLS), and optionally, Datagram Transport Layer Security (DTLS). DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

The AnyConnect client can be downloaded from the security appliance, or it can be installed manually on the remote PC by the system administrator. For more information about installing the client manually, see the Cisco AnyConnect VPN Client Release Notes.

The security appliance downloads the client based on the group policy or username attributes of the user establishing the connection. You can configure the security appliance to automatically download the client, or you can configure it to prompt the remote user about whether to download the client. In the latter case, if the user does not respond, you can configure the security appliance to either download the client after a timeout period or present the login page.

Fields

Inherit—(Multiple instances) Indicates that the corresponding setting takes its value from the default group policy, rather than from the explicit specifications that follow. This is the default setting for all attributes in this pane.

Keep Installer on Client System—Enable to allow permanent client installation on the remote computer. Enabling disables the automatic uninstalling feature of the client. The client remains installed on the remote computer for subsequent connections, reducing the connection time for the remote user.

Compression—Compression increases the communications performance between the security appliance and the client by reducing the size of the packets being transferred.

Datagram Transport Layer Security (DTLS)—DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

Keepalive Messages—Enter an number, from 15 to 600 seconds, in the Interval field to enable and adjust the interval of keepalive messages to ensure that an connection through a proxy, firewall, or NAT device remains open, even if the device limits the time that the connection can be idle. Adjusting the interval also ensures that the client does not disconnect and reconnect when the remote user is not actively running a socket-based application, such as Microsoft Outlook or Microsoft Internet Explorer.

MTU—Adjusts the MTU size for SSL connections. Enter a value in bytes, from 256 to 1410 bytes. By default, the MTU size is adjusted automatically based on the MTU of the interface that the connection uses, minus the IP/UDP/DTLS overhead.

Client Profile to Download—a profile is a group of configuration parameters that the AnyConnect client uses to configure the connection entries that appear in the user interface, including the names and addresses of host computers.

Optional Client Module to Download—To minimize download time, the AnyConnect client only requests downloads (from the security appliance) of modules that it needs for each feature that it supports. You must specify the names of modules that enable other features, such as sbl to enable the feature Start Before Logon (SBL).

For a list of values to enter for each client feature, see the release notes for the Cisco AnyConnect VPN Client.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Login Setting

In this window, you can enable the security appliance to prompt remote users to download the AnyConnect client. Figure 35-1 shows the prompt displayed:

Figure 35-1 Prompt Displayed to Remote Users for SSL VPN Client Download

Fields

Inherit—Check to inherit the value from the default group policy.

Post Login Setting—Choose to prompt the user and set the timeout to perform the default post login selection.

Default Post Login Selection—Choose an action to perform after login.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Key Regeneration

Rekey Negotiation occurs when the security appliance and the client perform a rekey and they renegotiate the crypto keys and initialization vectors, increasing the security of the connection.

Fields

Renegotiation Interval—Clear the Unlimited check box to specify the number of minutes from the start of the session until the rekey takes place, from 1 to 10080 (1 week).

Renegotiation Method—Check the None check box to disable rekey, check the SSL check box to specify SSL renegotiation during a rekey, or check the New Tunnel check box to establish a new tunnel during rekey.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Dead Peer Detection

Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the client can quickly detect a condition where the peer is not responding, and the connection has failed.

Fields

Gateway Side Detection—Uncheck the Disable check box to specify that DPD is performed by the security appliance (gateway). Enter the interval, from 30 to 3600 seconds, with which the security appliance performs DPD.

Client Side Detection—Uncheck the Disable check box to specify that DPD is performed by the client. Enter the interval, from 30 to 3600 seconds, with which the client performs DPD.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customization

Fields

Portal Customization—Selects the customization to apply to the AnyConnect Client/SSL VPN portal page. The default is DfltCustomization.

Manage—Opens the Configure GUI Customization objects dialog box, on which you can specify that you want to add, edit, delete, import, or export a customization object.

Access Deny Message—Specifies a message to display to the end user when the connection is denied. Select Inherit to accept the message in the default group policy. The default message, if you deselect Inherit, is: "Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


ACLs

This window lets you configure ACLs for Clientless SSL VPN.

Fields

View (Unlabeled)—Indicates whether the selected entry is expanded (minus sign) or contracted (plus sign).

# column—Specifies the ACE ID number.

Enable—Indicates whether this ACL is enabled or disabled. You can enable or disable the ACL using this check box.

Action—Specifies whether this ACL permits or denies access.

Type—Specifies whether this ACL applies to a URL or a TCP address/port.

Filter—Specifies the type of filter being applied.

Syslog Level (Interval)—Specifies the syslog parameters for this ACL.

Time Range—Specifies the name of the time range, if any, for this ACL. The time range can be a single interval or a series of periodic ranges.

Description—Specifies the description, if any, of the ACL.

Add ACL—Displays the Add Web Type ACL dialog box, in which you can specify an ACL ID.

Add ACE—Displays the Add Web Type ACE dialog box, in which you specify parameters for the named ACL. This button is active only if there are one or more entries in the Web Type ACL table.

Edit ACE/Delete—Click to edit or delete the highlighted ACL or ACE. When you delete an ACL, you also delete all of its ACEs. No warning or undelete.

Move Up/Move Down—Highlight an ACL or ACE and click these buttons to change the order of ACLs and ACEs. The security appliance checks ACLs and their ACEs in priority order according to their position in the ACLs list box until it finds a match.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Clientless SSL VPN Connections

Use the Clientless SSL VPN Access Connections window to configure clientless SSL VPN access parameters. This window also records the configuration choices you make in its child dialog boxes.

Fields

Access Interfaces—Lets you select from a table the interfaces on which to enable access. The fields in this table include the interface name and check boxes enabling you whether to allow access and require a certificate for authentication.

Access Port—Specifies the access port for the connection. The default value is 443.

Connections—Provides a connection table that shows the records that determine the connection policy for this connection (tunnel group). Each record identifies a default group policy for the connection and contains protocol-specific connection parameters.

Add—Opens the Add Clientless SSL VPN dialog box for the selected connection.

Edit—Opens the Edit Clientless SSL VPN dialog box for the selected connection.

Delete—Removes the selected connection from the table. There is no confirmation or undo.

Allow user to select connection, identified by alias in the table above, at login page—Specifies that the user login page presents the user with a drop-down menu from which the user can select a particular tunnel group with which to connect.

Add or Edit Clientless SSL VPN Connections

The Add or Edit SSL VPN dialog box consists of Basic and Advanced sections, accessible through the expandable menu on the left of the box.

Add or Edit Clientless SSL VPN Connections > Basic

The Basic dialog box lets you configure essential characteristics for this connection.

Fields

Name—Specifies the name of the connection. For the edit function, this field is read-only.

Aliases—(Optional) Specifies one or more alternate names for this connection. The aliases appear on the login page if you configure that option on the Clientless SSL VPN Access Connections window.

Authentication—Specifies the authentication parameters.

Method—Specifies whether to use AAA authentication, certificate authentication, or both methods for this connection. The default is AAA authentication.

AAA server Group—Selects the AAA server group to use for authenticating this connection. The default is LOCAL.

Manage—Opens the Configure AAA Server Groups dialog box.

Default Group Policy—Specifies the default group policy parameters to use for this connection.

Group Policy—Selects the default group policy to use for this connection. The default is DfltGrpPolicy.

Clientless SSL VPN Protocol—Enables or disables the Clientless SSL VPN protocol for this connection.

Add or Edit Clientless SSL VPN Connections > Advanced

The Advanced menu items and their dialog boxes let you configure the following characteristics for this connection:

General attributes.

Authentication attributes.

Authorization attributes.

Accounting attributes.

Name server attributes.

Clientless SSL VPN attributes.

Add or Edit Clientless SSL VPN Connections > Advanced > General

Use this window to specify whether to strip the realm and group from the username before passing them to the AAA server, and to specify password management options.

Fields

Strip the realm from username before passing it on to the AAA server—Enables or disables stripping the realm (administrative domain) from the username before passing the username on to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username during authentication. You can append the realm name to the username for AAA: authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.


Note You can append both the realm and the group to a username, in which case the security appliance uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the security appliance cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.


Strip the group from the username before passing it on to the AAA server—Enables or disables stripping the group name from the username before passing the username on to the AAA server. Check Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box. When you append a group name to a username using a delimiter, and enable Group Lookup, the security appliance interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.

Override account-disabled indication from AAA server—Overrides an account-disabled indication from a AAA server.


Note Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. You can select either to notify the user at login a specific number of days before the password expires or to notify the user only on the day that the password expires. The default is to notify the user 14 days prior to password expiration and every day thereafter until the user changes the password. The range is 1 through 180 days.


Note This does not change the number of days before the password expires, but rather, it enables the notification. If you select this option, you must also specify the number of days.


In either case, and, if the password expires without being changed, the security appliance offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password.

This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add or Edit Clientless SSL VPN Connection Profile or IPSec Connection Profiles> Advanced > Authentication

The Authentication dialog box lets you view, add, edit, or delete interface-specific authentication server groups. Each row of the table on this dialog box shows the status of one interface-specific server group: the interface name, its associated server group, and whether fallback to the local database is enabled if the selected server group fails.

Fields

Add or Edit—Opens the Assign Authentication Server Group to Interface dialog box, on which you can specify the interface and server group, and specify whether to allow fallback to the LOCAL database if the selected server group fails.

Delete—Removes the selected server group from the table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Assign Authentication Server Group to Interface

This dialog box lets you associate an interface with a AAA server group. The results appear in the table on the Authentication dialog box.

Fields

Interface—Selects an interface, DMZ, Outside, or Inside. The default is DMZ.

Server Group—Selects a server group to assign to the selected interface. The default is LOCAL.

Manage—Opens the Configure AAA Server Groups dialog box.

Fallback—Enables or disables fallback to LOCAL if the selected server group fails.

Add or Edit SSL VPN Connections > Advanced > Authorization

This dialog box lets you configure the default authorization server group, interface-specific authorization server groups, and user name mapping attributes. The attributes are the same for SSL VPN and Clientless SSL VPN connections.

Fields

Default Authorization Server Group—Configures default authorization server group attributes.

Server Group—Selects the authorization server group to use for this connection. The default is --None--.

Manage—Opens the Configure AAA Server Groups window.

Users must exist in the authorization database to connect—Enables or disables this requirement.

Interface-specific Authorization Server Groups

Table—Lists each configured interface and the server group with which it is associated.

Add or Edit—Opens the Assign Authorization Server Group to Interface window.

Delete—Removes the selected row from the table.

User Name Mapping—Specifies user name mapping attributes.

Use the entire DN as the username—Enables or disables the requirement to use the entire DN as the username.

Specify individual DN fields as the username. You can select both the primary DN field, for which the default is CN (Common Name) and the secondary DN field, for which the default is OU (Organization Unit).

Assign Authorization Server Group to Interface

This dialog box lets you associate an interface with a AAA server group. The results appear in the table on the Authorization dialog box.

Fields

Interface—Selects an interface, DMZ, Outside, or Inside. The default is DMZ.

Server Group—Selects a server group to assign to the selected interface. The default is LOCAL.

Manage—Opens the Configure AAA Server Groups dialog box.

Add or Edit SSL VPN Connections > Advanced > SSL VPN

This dialog box lets you configure attributes that affect what the remote user sees upon login.

Fields

Login Page Customization—Configures the look and feel of the user login page by specifying which preconfigured customization attributes to apply. The default is DfltCustomization.

Manage—Opens the Configure GUI Customization Objects window.

Connection Aliases—Lists in a table the existing connection aliases and their status and lets you add or delete items in that table. A connection alias appears on the user login page if the connection is configured to allow users to select a particular connection (tunnel group) at login.

Add—Opens the Add Connection Alias window, on which you can add and enable a connection alias.

Delete—Removes the selected row from the connection alias table. There is no confirmation or undo.

Group URLs—Lists in a table the existing group URLs and their status and lets you add or delete items in that table. A group URL appears on the user login page if the connection is configured to allow users to select a particular group at login.

Add—Opens the Add Group URL window, on which you can add and enable a group URL.

Delete—Removes the selected row from the connection alias table. There is no confirmation or undo.

Add or Edit Clientless SSL VPN Connections > Advanced > SSL VPN

This dialog box lets you configure attributes that affect what the remote user sees upon login.

Fields

Login Page Customization—Configures the look and feel of the user login page by specifying which preconfigured customization attributes to apply. The default is DfltCustomization.

Manage—Opens the Configure GUI Customization Objects window.

Connection Aliases—Lists in a table the existing connection aliases and their status and lets you add or delete items in that table. A connection alias appears on the user login page if the connection is configured to allow users to select a particular connection (tunnel group) at login.

Add—Opens the Add Connection Alias window, on which you can add and enable a connection alias.

Delete—Removes the selected row from the connection alias table. There is no confirmation or undo.

Group URLs—Lists in a table the existing group URLs and their status and lets you add or delete items in that table. A group URL appears on the user login page if the connection is configured to allow users to select a particular group at login.

Add—Opens the Add Group URL window, on which you can add and enable a group URL.

Delete—Removes the selected row from the connection alias table. There is no confirmation or undo.

Add or Edit Clientless SSL VPN Connections > Advanced > Name Servers

The table on this dialog box shows the attributes of the already-configured NetBIOS servers. The Add or Edit Tunnel Group window for Clientless SSL VPN access, NetBIOS dialog box, lets you configure the NetBIOS attributes for the tunnel group. Clientless SSL VPN uses NetBIOS and the Common Internet File System protocol to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server you specify corresponds to a specific NetBIOS name that identifies a resource on the network.

The security appliance queries NetBIOS name servers to map NetBIOS names to IP addresses. Clientless SSL VPN requires NetBIOS to access or share files on remote systems.

To make the NBNS function operational, you must configure at least one NetBIOS server (host). You can configure up to 3 NBNS servers for redundancy. The security appliance uses the first server on the list for NetBIOS/CIFS name resolution. If the query fails, it uses the next server.

Fields

IP Address—Displays the IP addresses of configured NetBIOS servers.

Master Browser—Shows whether a server is a WINS server or one that can also be a CIFS server (that is, a master browser).

Timeout (seconds)—Displays the initial time in seconds that the server waits for a response to an NBNS query before sending the query to the next server.

Retries—Shows the number of times to retry sending an NBNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.

Add/Edit—Click to add a NetBIOS server. This opens the Add or Edit NetBIOS Server dialog box.

Delete—Removes the highlighted NetBIOS row from the list.

Move Up/Move Down—The security appliance sends NBNS queries to the NetBIOS servers in the order in which they appear in this box. Use this box to change the priority order of the servers by moving them up or down in the list.

Fields

DNS Server Group—Selects the server to use as the DNS server group for this connection. The default is DefaultDNS.

Manage—Opens the Configure DNS Server Groups dialog box.

Configure DNS Server Groups

This dialog box displays the configured DNS servers in a table, including the server group name, servers, timeout in seconds, number of retries allowed, and domain name. You can add, edit, or delete DNS server groups on this dialog box.

Fields

Add or Edit—Opens the Add or Edit DNS Server Group dialog box..

Delete—Removes the selected row from the table. There is no confirmation or undo.

Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN

This dialog box lets you specify portal-related attributes for Clientless SSL VPN connections.

Fields

Portal Page Customization—Selects the customization to apply to the user interface.

Manage—Opens the Configure GUI Customization Objects dialog box.

IPSec Remote Access Connection Profiles

The parameters in the IPSec ConnectionProfiles window let you configure IPSec remote access connections. Most of the parameters in this section were formerly configured under tunnel groups. An IPSec connection represents a connection-specific record for IPSec and Clientless SSL VPN connections.

The IPSec group uses the IPSec connection parameters to create a tunnel. An IPSec connection can be either remote-access or Site-to-Site. The IPSec group is configured on the internal server or on an external RADIUS server. For ASA 5505 in client mode or VPN 3002 hardware client parameters, which enable or disable interactive hardware client authentication and individual user authentication, the IPSec connection parameters take precedence over parameters set for users and groups.

The Clientless SSL VPN tunnel-group parameters are the parameters of the Clientless SSL VPN group that you want to apply to this IPSec connection. You configure Clientless SSL VPN access on the Configuration > Clientless SSL VPN window.

Fields

Access Interfaces—Selects the interfaces to enable for IPSec access. The default is that no access is selected.

Connections—Shows in tabular format the configured parameters for existing IPSec connections. The Connections table contains records that determine connection policies. A record identifies a default group policy for the connection and contains protocol-specific connection parameters. The table contains the following columns:

Name—Specifies the name or IP address of the IPSec connection.

ID Certificate—Specifies the name of the ID certificate, if available.

IPSec Protocol—Indicates whether the IPSec protocol is enabled. You enable this protocol on the Add or Edit IPSec Remote Access Connection, Basic window.

L2TP/IPSec Protocol—Indicates whether the L2TP/IPSec protocol is enabled. You enable this protocol on the Add or Edit IPSec Remote Access Connection, Basic window.

Group Policy—Indicates the name of the group policy for this IPSec connection.

Add or Edit—Opens the Add or Edit IPSec Remote Access Connection Profile dialog box.

Delete—Removes the selected server group from the table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add or Edit an IPSec Remote Access Connection Profile

The Add or Edit IPSec Remote Access Connection Profile dialog box has a navigation pane that lets you select basic or advanced elements to configure.

Add or Edit IPSec Remote Access Connection Profile Basic

The Add or Edit IPSec Remote Access Connection Profile Basic dialog box lets you configure common attributes for IPSec connections.

Fields

Name—Identifies the name of the connection.

IKE Peer Authentication—Configures IKE peers.

Pre-shared key—Specifies the value of the pre-shared key for the connection. The maximum length of a pre-shared key is 128 characters.

Identity Certificate—Selects the name of an identity certificate, if any identity certificates are configured and enrolled.

Manage—Opens the Manage Identity Certificates window, on which you can add, edit, delete, export, and show details for a selected certificate.

User Authentication—Specifies information about the servers used for user authentication. You can configure more authentication information in the Advanced section.

Server Group—Selects the server group to use for user authentication. the default is LOCAL. If you select something other than LOCAL, the Fallback check box becomes available.

Manage—Opens the Configure AAA Server Groups dialog box.

Fallback—Specifies whether to use LOCAL for user authentication if the specified server group fails.

Client Address Assignment—Specifies attributes relevant to assigning client attributes.

DHCP Servers—Specifies the IP address of a DHCP server to use. You can add up to 10 servers, separated by spaces.

Client Address Pools—Specifies up to 6 predefined address pools. To define an address pool, go to Configuration > Remote Access VPN > Network Client Access > Address Assignment > Address Pools.

Select—Opens the Select Address Pools dialog box.

Default Group Policy—Specifies attributes relevant to the default group policy.

Group Policy—Selects the default group policy to use for this connection. The default is DfltGrpPolicy.

Manage—Opens the Configure Group Policies dialog box, from which you can add, edit, or delete group policies.

Client Protocols—Selects the protocol or protocols to use for this connection. By default, both IPSec and L2TP over IPSec are selected.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Mapping Certificates to IPSec or SSL VPN Connection Profiles

When the security appliance receives an IPSec or SSL connection request with a client certificate authentication, it evaluates the attributes of the certificate using a set of rules until it finds a match. When it finds a match, it assigns the connection profile associated with the matched rule to the connection. If the security appliance fails to find a match, it assigns the DefaultWEBVPNGroup profile to the connection and lets the user choose the connection profile from a drop-down menu displayed on the portal page, if it is enabled.

To configure the evaluation of IPSec or SSL VPN connections against certificate criteria-based rules, use the IPSec Certificate to Connection Maps > Rules or Certificate to SSL VPN Connections Profile Maps panel.

This panel lets you create the certificate-based criteria for each IPSec and SSL VPN connection profile, as follows:


Step 1 Use the table at the top (Certificate to Connection Profile Maps) to do one of the following:

Create a list name, called a "map," specify the priority of the list, and assign the list to a connection profile.

ASDM highlights the list after you add it to the table.

Confirm that a list is assigned to the connection profile for which you want to add certificate-based rules.

ASDM highlights the list after you add it to the table and displays any associated list entries in the table at the bottom of the pane.

Step 2 Use the table at the bottom (Mapping Criteria) to view, add, change or delete entries to the selected list.

Each entry in the list consists of one certificate-based rule. All of the rules in the mapping criteria list need to match the contents of the certificate for the security appliance to choose the associated map index. To assign a connection if one criterion or another matches, create one list for each matching criterion.


To understand the fields, see the following sections:

Add/Edit Certificate Matching Rule

Add/Edit Certificate Matching Rule Criterion

Add/Edit Certificate Matching Rule

Use the Add/Edit Certificate Matching Rule dialog box to assign the name of a list (map) to a connection profile.

Fields

Map—Choose one of the following:

Existing—Select the name of the map to include the rule.

New—Enter a new map name for a rule.

Rule Priority—Type a decimal to specify the sequence with which the security appliance evaluates the map when it receives a connection request. For the first rule defined, the default priority is 10. The security appliance evaluates each connection against the map with the lowest priority number first.

Mapped to Connection Profile—Select the connection profile, formerly called a "tunnel group," to map to this rule.

If you do not assign a rule criterion to the map, as described in the next section, the security appliance ignores the map entry.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Certificate Matching Rule Criterion

Use the Add/Edit Certificate Matching Rule Criterion dialog box to configure a certificate matching rule criterion for the selected group.

Fields

Rule Priority—(Display only). Sequence with which the security appliance evaluates the map when it receives a connection request. The security appliance evaluates each connection against the map with the lowest priority number first.

Mapped to Group—(Display only). Connection profile to which the rule is assigned.

Field—Select the part of the certificate to be evaluated from the drop-down list.

Subject—The person or system that uses the certificate. For a CA root certificate, the Subject and Issuer are the same.

Alternative Subject—The subject alternative names extension allows additional identities to be bound to the subject of the certificate.

Issuer—The CA or other entity (jurisdiction) that issued the certificate.

Component—(Applies only if Subject of Issuer is selected.) Select the distinguished name component used in the rule:

DN Field
Definition

Whole Field

The entire DN.

Country (C)

The two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Common Name (CN)

The name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

DN Qualifier (DNQ)

A specific DN attribute.

E-mail Address (EA)

The e-mail address of the person, system or entity that owns the certificate.

Generational Qualifier (GENQ)

A generational qualifier such as Jr., Sr., or III.

Given Name (GN)

The first name of the certificate owner.

Initials (I)

The first letters of each part of the certificate owner's name.

Locality (L)

The city or town where the organization is located.

Name (N)

The name of the certificate owner.

Organization (O)

The name of the company, institution, agency, association, or other entity.

Organizational Unit (OU)

The subgroup within the organization.

Serial Number (SER)

The serial number of the certificate.

Surname (SN)

The family name or last name of the certificate owner.

State/Province (S/P)

The state or province where the organization is located.

Title (T)

The title of the certificate owner, such as Dr.

User ID (UID)

The identification number of the certificate owner.

Unstructured Name (UNAME)

The unstructuredName attribute type specifies the name or names of a subject as an unstructured ASCII string.

IP Address (IP)

IP address field.


Operator—Select the operator used in the rule:

Equals—The distinguished name field must exactly match the value.

Contains—The distinguished name field must include the value within it.

Does Not Equal—The distinguished name field must not match the value

Does Not Contain—The distinguished name field must not include the value within it.

Value—Enter up to 255 characters to specify the object of the operator.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configure Site-to-Site Tunnel Groups

The Tunnel Groups window shows the attributes of the currently configured Site-to-Site tunnel groups, lets you select the delimiter to use when parsing tunnel group names, and lets you adds, modify, or delete tunnel groups.

Fields

Add—Opens the Add IPSec Site-to-Site Tunnel Group dialog box.

Edit—Opens the Edit IPSec Site-to-Site Tunnel Group dialog box.

Delete—Removes the selected tunnel group. There is no confirmation or undo.

Table of Tunnel Groups—Lists the tunnel group name, CA Certificate, IPSec protocol status (enabled or disabled), and group policy applied for each configured tunnel group.

Group Delimiter—Selects the delimiter character to use parsing tunnel group names from the usernames that are received when tunnels are being negotiated.

Add/Edit Site-to-Site Connection

The Add or Edit IPSec Site-to-Site Connection dialog box lets you create or modify an IPSec Site-to-Site connection. These dialog boxes let you specify the peer IP address, specify a connection name, select an interface, specify IKE peer and user authentication parameters, specify protected networks, and specify encryption algorithms.

Fields

Peer IP Address—Lets you specify an IP address and whether that address is static.

Connection Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only. You can specify that the connection name is the same as the IP address specified in the Peer IP Address field.

Interface—Selects the interface to use for this connection.

IKE Authentication—Specifies the pre-shared key and ID certificate to use when authenticating an IKE peer.

Pre-shared Key—Specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Identity Certificate—Specifies the name of the identity certificate, if available, to use for authentication.

Manage—Opens the Manage CA Certificates window, on which you can see the certificates that are already configured, add new certificates, show details for a certificate, and edit or delete a certificate.

Protected Networks—Selects or specifies the local and remote network protected for this connection.

Local Network—Specifies the IP address of the local network.

...—Opens the Browse Local Network dialog box, on which you can select a local network.

Remote Network—Specifies the IP address of the remote network.

...—Opens the Browse Remote Network dialog box, on which you can select a remote network.

Encryption Algorithm—Specifies the encryption algorithms to use in the IKE and IPSec proposals.

IKE Proposal—Specifies one or more encryption algorithms to use for the IKE proposal.

Manage—Opens the Configure IKE Proposals dialog box.

IPSec Proposal—Specifies one or more encryption algorithms to use for the IPSec proposal.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Adding or Editing a Site-to-Site Tunnel Group

The Add or Edit IPSec Site-to-Site Tunnel Group dialog box lets you specify attributes for the IPSec site-to-site connection that you are adding. In addition, you can select IKE peer and user authentication parameters, configure IKE keepalive monitoring, and select the default group policy.

Fields

Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only.

IKE Authentication—Specifies the pre-shared key and Identity certificate parameters to use when authenticating an IKE peer.

Pre-shared Key—Specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Identity Certificate—Specifies the name of the ID certificate to use for authentication, if available.

Manage—Opens the Manage Identity Certificates window, on which you can see the certificates that are already configured, add new certificates, show details for a certificate, and edit or delete a certificate.

IKE Peer ID Validation—Specifies whether to check IKE peer ID validation. The default is Required.

IKE Keepalive ——Enables and configures IKE keepalive monitoring. You can select only one of the following attributes.

Disable Keep Alives—Enables or disables IKE keep alives.

Monitor Keep Alives—Enables or disables IKE keep alive monitoring. Selecting this option makes available the Confidence Interval and Retry Interval fields.

Confidence Interval—Specifies the IKE keep alive confidence interval. This is the number of seconds the security appliance should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 10 seconds.

Retry Interval—Specifies number of seconds to wait between IKE keep alive retries. The default is 2 seconds.

Head end will never initiate keepalive monitoring—Specifies that the central-site security appliance never initiates keepalive monitoring.

Default Group Policy—Select the group policy and client protocols that you want to use as the default for this connection. A VPN group policy is a collection of user-oriented attribute-value pairs that can be stored internally on the device or externally on a RADIUS server. IPSec connections and user accounts refer to the group-policy information.

Group Policy—Lists the currently configured group policies. The default value is DfltGrpPolicy.

Manage—Opens the Configure Group Policies window, on which you can view the configured group policies and add, edit, or delete group policies from the list.

IPSec Protocol—Enables or disables the IPSec protocol for use by this group policy.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Crypto Map Entry

In this window, specify crypto parameters for the Connection Profile.

Fields

Priority—A unique priority (1 through 65,543, with 1 the highest priority). When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer searches for a match with its own policies, in priority order.

Perfect Forward Secrecy—Ensures that the key for a given IPSec SA was not derived from any other secret (like some other keys). If someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If you enable PFS, the Diffie-Hellman Group list becomes active.

Diffie-Hellman Group—An identifier which the two IPSec peers use to derive a shared secret without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits), and Group 5 (1536-bits).

Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy, which lets IPSec peers establish both remote access and LAN-to-LAN connections through a NAT device.

Enable Reverse Route Injection—Provides the ability for static routes to be automatically inserted into the routing process for those networks and hosts that are protected by a remote tunnel endpoint.

Security Association Lifetime—Configures the duration of a Security Association (SA). This parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the IPsec SA lasts until it expires and must be renegotiated with new keys.

Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).

Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.

Crypto Map Entry for Static Peer Address

In this window, specify crypto parameters for the Connection Profile when the Peer IP Address is a static address.

Fields

Priority—A unique priority (1 through 65,543, with 1 the highest priority). When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer searches for a match with its own policies, in priority order.

Perfect Forward Secrecy—Ensures that the key for a given IPSec SA was not derived from any other secret (like some other keys). If someone were to break a key, PFS ensures that the attacker would not be able to derive any other key. If you enable PFS, the Diffie-Hellman Group list becomes active.

Diffie-Hellman Group—An identifier which the two IPSec peers use to derive a shared secret without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits), and Group 5 (1536-bits).

Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy, which lets IPSec peers establish both remote access and LAN-to-LAN connections through a NAT device.

Enable Reverse Route Injection—Provides the ability for static routes to be automatically inserted into the routing process for those networks and hosts that are protected by a remote tunnel endpoint.

Security Association Lifetime—Configures the duration of a Security Association (SA). This parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the IPsec SA lasts until it expires and must be renegotiated with new keys.

Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).

Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is 10000 KB, maximum is 2147483647 KB.

Static Crypto Map Entry Parameters—Configure these additional parameters when the Peer IP Address is specified as Static:

Connection Type—Specify the allowed negotiation as bidirectional, answer-only, or originate-only.

Send ID Cert. Chain—Enables transmission of the entire certificate chain.

IKE Negotiation Mode—Sets the mode for exchanging key information for setting up the SAs, Main or Aggressive. It also sets the mode that the initiator of the negotiation uses; the responder auto-negotiates. Aggressive Mode is faster, using fewer packets and fewer exchanges, but it does not protect the identity of the communicating parties. Main Mode is slower, using more packets and more exchanges, but it protects the identities of the communicating parties. This mode is more secure and it is the default selection. If you select Aggressive, the Diffie-Hellman Group list becomes active.

Diffie-Hellman Group—An identifier which the two IPSec peers use to derive a shared secret without transmitting it to each other. The choices are Group 1 (768-bits), Group 2 (1024-bits), and Group 5 (1536-bits).

Managing CA Certificates

Clicking Manage under IKE Peer Authentication opens the Manage CA Certificates window. Use this window to view, add, edit, and delete entries on the list of CA certificates available for IKE peer authentication.

The Manage CA Certificates window lists information about currently configured certificates, including information about whom the certificate was issued to, who issued the certificate, when the certificate expires, and usage data.

Fields

Add or Edit—Opens the Install Certificate window or the Edit Certificate window, which let you specify information about and install a certificate.

Show Details—Displays detailed information about a certificate that you select in the table.

Delete—Removes the selected certificate from the table. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Install Certificate

Use this window to install a new CA certificate. You can get the certificate in one of the following ways:

Install from a file by browsing to the certificate file.

Paste the previously acquired certificate text in PEM format into the box on this window.

Use SCEP—Specifies the use of the Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services runs on the Windows Server 2003 family. It provides support for the SCEP protocol, which allows Cisco routers and other intermediate network devices to obtain certificates.

SCEP URL: http://—Specifies the URL from which to download SCEP information.

Retry Period—Specifies the number of minutes that must elapse between SCEP queries.

Retry Count—Specifies the maximum number of retries allowed.

More Options—Opens the Configure Options for CA Certificate window.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configure Options for CA Certificate

Use this window to specify details about retrieving CA Certificates for this IPSec remote access connection. The tabs on this window are: Revocation Check, CRL Retrieval Policy, CRL Retrieval Method, OCSP Rules, and Advanced.

Revocation Check Tab

Use this tab to specify information about CA Certificate revocation checking.

Fields

The radio buttons specify whether to check certificates for revocation. The values of these buttons are as follows:

Do not check certificates for revocation

Check Certificates for revocation

Revocation Methods area—Lets you specify the method-CRL or OCSP-to use for revocation checking, a nd the order in which to use these methods. You can choose either or both methods.

Add/Edit Remote Access Connections > Advanced > General

Use this window to specify whether to strip the realm and group from the username before passing them to the AAA server, and to specify password management parameters.

Fields

Strip the realm from username before passing it on to the AAA server—Enables or disables stripping the realm (administrative domain) from the username before passing the username on to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username during authentication. You can append the realm name to the username for AAA: authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.


Note You can append both the realm and the group to a username, in which case the security appliance uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the security appliance cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.


Strip the group from the username before passing it on to the AAA server—Enables or disables stripping the group name from the username before passing the username on to the AAA server. Check Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box. When you append a group name to a username using a delimiter, and enable Group Lookup, the security appliance interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.

Override account-disabled indication from AAA server—Overrides an account-disabled indication from a AAA server.


Note Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. You can select either to notify the user at login a specific number of days before the password expires or to notify the user only on the day that the password expires. The default is to notify the user 14 days prior to password expiration and every day thereafter until the user changes the password. The range is 1 through 180 days.


Note This does not change the number of days before the password expires, but rather, it enables the notification. If you select this option, you must also specify the number of days.


In either case, and, if the password expires without being changed, the security appliance offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password.

This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

This feature requires the use of MS-CHAPv2.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Client Addressing

To specify the client IP address assignment policy and assign address pools to all IPsec and SSL VPN connections, choose Config > Remote Access VPN > Network (Client) Access > IPsec or SSL VPN Connections > Add or Edit > Advanced > Client Addressing. The Add IPSec Remote Access Connection or Add SSL VPN Access Connection opens. Use this window to add address pools and assign them to interfaces, and view, edit, or delete them. The table at the bottom of the window lists the configured interface-specific address pools.

To understand the fields in this window or its descendent windows, see the sections that follow this one. You can view or change the configuration of address pools and their assignment to interfaces, as follows:

To view or change the configuration of address pools, click Add or Edit in the Add IPSec Remote Access Connection or Add SSL VPN Access Connection window. The Assign Address Pools to Interface window opens. This window lets you assign IP address pools to the interfaces configured on the security appliance. Click Select. The Select Address Pools window opens. Use this window to view the configuration of address pools. You can change their address pool configuration as follows:

To add an address pool to the security appliance, choose Add. The Add IP Pool dialog box opens.

To change the configuration of an address pool on the security appliance, choose Edit. The Edit IP Pool dialog box opens if the addresses in the pool are not in use.


Note You cannot modify an address pool if it is already in use. If you click Edit and the address pool is in use, ASDM displays an error message and lists the connection names and usernames that are using the addresses in the pool.


To remove address pool on the security appliance, select the entry in the table and click Delete.


Note You cannot remove an address pool if it is already in use. If you click Delete and the address pool is in use, ASDM displays an error message and lists the connection names that are using the addresses in the pool.


To assign address pools to an interface, click Add in the Add IPSec Remote Access Connection or Add SSL VPN Access Connection window. The Assign Address Pools to Interface window opens. Select the interface to be assigned an address pool. Click Select next to the Address Pools field. The Select Address Pools window opens. Double-click each unassigned pool you want to assign to the interface or choose each unassigned pool and click Assign. The adjacent field displays the list of pool assignments. Click OK to populate the Address Pools field with the names of these address pools, then OK again to complete the configuration of the assignment.

To change the address pools assigned to an interface, double-click the interface, or choose the interface in the Add IPSec Remote Access Connection or Add SSL VPN Access Connection window and click Edit. The Assign Address Pools to Interface window opens. To remove address pools, double-click each pool name and press the Delete button on the keyboard. Click Select next to the Address Pools field if you want to assign additional fields to the interface. The Select Address Pools window opens. Note that the Assign field displays the address pool names that remained assigned to the interface. Double-click each unassigned pool you want to add to the interface. The Assign field updates the list of pool assignments. Click OK to revise the Address Pools field with the names of these address pools, then OK again to complete the configuration of the assignment.

To remove an entry from the Add IPSec Remote Access Connection or Add SSL VPN Access Connection window, choose the entry and click Delete.

The Add IPSec Remote Access Connection and Add SSL VPN Access Connection windows and their descendent windows are identical. Use the following sections to understand or assign values to the fields in these windows:

Add IPSec Remote Access Connection and Add SSL VPN Access Connection

Assign Address Pools to Interface

Select Address Pools

Add or Edit IP Pool

Add or Edit IP Pool

Add IPSec Remote Access Connection and Add SSL VPN Access Connection

To access the Add IPSec Remote Access Connection and Add SSL VPN Access Connection windows, choose Config > Remote Access VPN > Network (Client) Access > IPsec or SSL VPN Connections > Add or Edit > Advanced > Client Addressing.

Fields

Use the following descriptions to assign values to the fields in this window:

Global Client Address Assignment Policy—Configures a policy that affects all IPSec and SSL VPN Client connections (including AnyConnect client connections). The security appliance uses the selected sources in order, until it finds an address:

Use authentication server—Specifies that the security appliance should attempt to use the authentication server as the source for a client address.

Use DHCP—Specifies that the security appliance should attempt to use DHCP as the source for a client address.

Use address pool—Specifies that the security appliance should attempt to use address pools as the source for a client address.

Interface-Specific Address Pools—Lists the configured interface-specific address pools.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Assign Address Pools to Interface

Use the Assign Address Pools to Interface window to select an interface and assign one or more address pools to that interface. To access this window, choose Config > Remote Access VPN > Network (Client) Access > IPsec or SSL VPN Connections > Add or Edit > Advanced > Client Addressing > Add or Edit.

Fields

Use the following descriptions to assign values to the fields in this window:

Interface—Select the interface to which you want to assign an address pool. The default is DMZ.

Address Pools—Specify an address pool to assign to the specified interface.

Select—Opens the Select Address Pools dialog box, on which you can select one or more address pools to assign to this interface. Your selection appears in the Address Pools field of the Assign Address Pools to Interface dialog box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Select Address Pools

The Select Address Pools window shows the pool name, starting and ending addresses, and subnet mask of address pools available for client address assignment and lets you add, edit, or delete entries from that list. To access this window, choose Config > Remote Access VPN > Network (Client) Access > IPsec or SSL VPN Connections > Add or Edit > Advanced > Client Addressing > Add or Edit > Select.

Fields

Use the following descriptions to assign values to the fields in this window:

Add—Opens the Add IP Pool window, on which you can configure a new IP address pool.

Edit—Opens the Edit IP Pool window, on which you can modify a selected IP address pool.

Delete—Removes the selected address pool. There is no confirmation or undo.

Assign—Displays the address pool names that remained assigned to the interface. Double-click each unassigned pool you want to add to the interface. The Assign field updates the list of pool assignments.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add or Edit IP Pool

The Add or Edit IP Pool window lets you specify or modify a range of IP addresses for client address assignment. To access this window, choose Config > Remote Access VPN > Network (Client) Access > IPsec or SSL VPN Connections > Add or Edit > Advanced > Client Addressing > Add or Edit > Select > Add or Edit.

Fields

Use the following descriptions to assign values to the fields in this window:

Name—Specifies the name assigned to the IP address pool.

Starting IP Address—Specifies the first IP address in the pool.

Ending IP Address—Specifies the last IP address in the pool.

Subnet Mask—Selects the subnet mask to apply to the addresses in the pool.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > General Tab > Authentication

This dialog box is available for IPSec on Remote Access and Site-to-Site tunnel groups. The settings on this dialog box apply to the tunnel group globally across the security appliance. To set authentication server group settings per interface, click Advanced. This dialog box lets you configure the following attributes:

Authentication Server Group—Lists the available authentication server groups, including the LOCAL group (the default). You can also select None. Selecting something other than None or Local makes available the Use LOCAL if Server Group Fails check box. To set the authentication server group per interface, click Advanced.

Use LOCAL if Server Group fails—Enables or disables fallback to the LOCAL database if the group specified by the Authentication Server Group attribute fails.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit SSL VPN Connection > General > Authorization

The settings on this dialog box apply to the connection (tunnel group) globally across the security appliance. This dialog box lets you configure the following attributes:

Authorization Server Group—Lists the available authorization server groups, including the LOCAL group. You can also select None (the default). Selecting something other than None makes available the check box for Users must exist in authorization database to connect.

Users must exist in the authorization database to connect—Tells the security appliance to allow only users in the authorization database to connect. By default this feature is disabled. You must have a configured authorization server to use this feature.

Interface-Specific Authorization Server Groups—(Optional) Lets you configure authorization server groups on a per-interface basis. Interface-specific authorization server groups take precedence over the global server group. If you do not explicitly configure interface-specific authorization, authorization takes place only at the group level.

Interface—Select the interface on which to perform authorization. The standard interfaces are outside (the default), inside, and DMZ. If you have configured other interfaces, they also appear in the list.

Server Group—Select an available, previously configured authorization server group or group of servers, including the LOCAL group. You can associate a server group with more than one interface.

Add—Click Add to add the interface/server group setting to the table and remove the interface from the available list.

Remove—Click Remove to remove the interface/server group from the table and restore the interface to the available list.

Authorization Settings—Lets you set values for usernames that the security appliance recognizes for authorization. This applies to users that authenticate with digital certificates and require LDAP or RADIUS authorization.

Use the entire DN as the username—Allows the use of the entire Distinguished Name (DN) as the username.

Specify individual DN fields as the username—Enables the use of individual DN fields as the username.

Primary DN Field—Lists all of the DN field identifiers for your selection.

DN Field
Definition

Country (C)

Two-letter country abbreviation. These codes conform to ISO 3166 country abbreviations.

Common Name (CN)

Name of a person, system, or other entity. This is the lowest (most specific) level in the identification hierarchy.

DN Qualifier (DNQ)

Specific DN attribute.

E-mail Address (EA)

E-mail address of the person, system or entity that owns the certificate.

Generational Qualifier (GENQ)

Generational qualifier such as Jr., Sr., or III.

Given Name (GN)

First name of the certificate owner.

Initials (I)

First letters of each part of the certificate owner's name.

Locality (L)

City or town where the organization is located.

Name (N)

Name of the certificate owner.

Organization (O)

Name of the company, institution, agency, association, or other entity.

Organizational Unit (OU)

Subgroup within the organization.

Serial Number (SER)

Serial number of the certificate.

Surname (SN)

Family name or last name of the certificate owner.

State/Province (S/P)

State or province where the organization is located.

Title (T)

Title of the certificate owner, such as Dr.

User ID (UID)

Identification number of the certificate owner.

User Principal Name (UPN)

Used with Smart Card certificate authentication.


Secondary DN Field—Lists all of the DN field identifiers (see the foregoing table) for your selection and adds the option None for no selection.

Add/Edit SSL VPN Connections > Advanced > Accounting

The settings on this dialog box apply to the connection (tunnel group) globally across the security appliance. This dialog box lets you configure the following attribute:

Accounting Server Group—Lists the available accounting server groups. You can also select None (the default). LOCAL is not an option.

Manage—Opens the Configure AAA Server Groups dialog box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > General > Client Address Assignment

To specify whether to use DHCP or address pools for address assignment, go to Configuration > VPN > I P Address Management > Assignment. The Add or Edit Tunnel Group window > General > Client Address Assignment dialog box, lets you configure the following Client Address Assignment attributes:

DHCP Servers—Specifies a DHCP server to use. You can add up to 10 servers, one at a time.

IP Address—Specifies the IP address of a DHCP server.

Add—Adds the specified DHCP server to the list for client address assignment.

Delete—Deletes the specified DHCP server from the list for client address assignment. There is no confirmation or undo.

Address Pools—Lets you specify up to 6 address pools, using the following parameters:

Available Pools—Lists the available, configured address pools you can choose.

Add—Adds the selected address pool to the list for client address assignment.

Remove—Moves the selected address pool from the Assigned Pools list to the Available Pools list.

Assigned Pools—Lists the address pools selected for address assignment.


Note To configure interface-specific address pools, click Advanced.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > General > Advanced

The Add or Edit Tunnel Group window, General, Advanced dialog box, lets you configure the following interface-specific attributes:

Interface-Specific Authentication Server Groups—Lets you configure an interface and server group for authentication.

Interface—Lists available interfaces for selection.

Server Group—Lists authentication server groups available for this interface.

Use LOCAL if server group fails—Enables or disables fallback to the LOCAL database if the server group fails.

Add—Adds the association between the selected available interface and the authentication server group to the assigned list.

Remove—Moves the selected interface and authentication server group association from the assigned list to the available list.

Interface/Server Group/Use Fallback—Show the selections you have added to the assigned list.

Interface-Specific Client IP Address Pools—-Lets you specify an interface and Client IP address pool. You can have up to 6 pools.

Interface—Lists the available interfaces to add.

Address Pool—Lists address pools available to associate with this interface.

Add—Adds the association between the selected available interface and the client IP address pool to the assigned list.

Remove—Moves the selected interface/address pool association from the assigned list to the available list.

Interface/Address Pool—Shows the selections you have added to the assigned list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > IPSec for Remote Access > IPSec

On the Add or Edit Tunnel Group window for IPSec for Remote Access, the IPSec dialog box lets you configure or edit IPSec-specific tunnel group parameters.

Fields

Pre-shared Key—Lets you specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Trustpoint Name—Selects a trustpoint name, if any trustpoints are configured. A trustpoint is a representation of a certificate authority. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.

Authentication Mode—Specifies the authentication mode: none, xauth, or hybrid.

none—Specifies no authentication mode.

xauth—Specifies the use of IKE Extended Authentication mode, which provides the capability of authenticating a user within IKE using TACACS+ or RADIUS.

hybrid—Specifies the use of Hybrid mode, which lets you use digital certificates for security appliance authentication and a different, legacy method—such as RADIUS, TACACS+ or SecurID—for remote VPN user authentication. This mode breaks phase 1 of the Internet Key Exchange (IKE) into the following steps, together called hybrid authentication:

1. The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

2. An extended authentication (xauth) exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.


Note Before setting the authentication type to hybrid, you must configure the authentication server and create a pre-shared key.


IKE Peer ID Validation—Selects whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate.

Enable sending certificate chain—Enables or disables sending the entire certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission.

ISAKMP Keep Alive—Enables and configures ISAKMP keep alive monitoring.

Disable Keep Alives—Enables or disables ISAKMP keep alives.

Monitor Keep Alives—Enables or disables ISAKMP keep alive monitoring. Selecting this option makes available the Confidence Interval and Retry Interval fields.

Confidence Interval—Specifies the ISAKMP keep alive confidence interval. This is the number of seconds the security appliance should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 300 seconds.

Retry Interval—Specifies number of seconds to wait between ISAKMP keep alive retries. The default is 2 seconds.

Head end will never initiate keepalive monitoring—Specifies that the central-site security appliance never initiates keepalive monitoring.

Interface-Specific Authentication Mode—Specifies the authentication mode on a per-interface basis.

Interface—Lets you select the interface name. The default interfaces are inside and outside, but if you have configured a different interface name, that name also appears in the list.

Authentication Mode—Lets you select the authentication mode, none, xauth, or hybrid, as above.

Interface/Authentication Mode table—Shows the interface names and their associated authentication modes that are selected.

Add—Adds an interface/authentication mode pair selection to the Interface/Authentication Modes table.

Remove—Removes an interface/authentication mode pair selection from the Interface/Authentication Modes table.

Client VPN Software Update Table—Lists the client type, VPN Client revisions, and image URL for each client VPN software package installed. For each client type, you can specify the acceptable client software revisions and the URL or IP address from which to download software upgrades, if necessary. The client update mechanism (described in detail under the Client Update window) uses this information to determine whether the software each VPN client is running is at an appropriate revision level and, if appropriate, to provide a notification message and an update mechanism to clients that are running outdated software.

Client Type—Identifies the VPN client type.

VPN Client Revisions—Specifies the acceptable revision level of the VPN client.

Image URL—Specifies the URL or IP address from which the correct VPN client software image can be downloaded. For Windows-based VPN clients, the URL must be of the form http:// or https://. For ASA 5505 in client mode or VPN 3002 hardware clients, the URL must be of the form tftp://.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group for Site-to-Site VPN

The Add or Edit Tunnel Group dialog box lets you configure or edit tunnel group parameters for this Site-to-Site connection profile.

Fields

Certificate Settings—Sets the following certificate chain and IKE peer validation attributes:

Send certificate chain—Enables or disables sending the entire certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission.

IKE Peer ID Validation—Selects whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate.

IKE Keep Alive—Enables and configures IKE (ISAKMP) keepalive monitoring.

Disable Keepalives—Enables or disables IKE keep alives.

Monitor Keepalives—Enables or disables IKE keep alive monitoring. Selecting this option makes available the Confidence Interval and Retry Interval fields.

Confidence Interval—Specifies the IKE keepalive confidence interval. This is the number of seconds the security appliance should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 300 seconds.

Retry Interval—Specifies number of seconds to wait between IKE keepalive retries. The default is 2 seconds.

Head end will never initiate keepalive monitoring—Specifies that the central-site security appliance never initiates keepalive monitoring.

Default Group Policy—Specifies the following group-policy attributes:

Group Policy—Selects a group policy to use as the default group policy. The default value is DfltGrpPolicy.

Manage—Opens the Configure Group Policies dialog box.

IPSec Protocol—Enables or disables the use of the IPSec protocol for this connection profile.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > PPP

On the Add or Edit Tunnel Group window for a IPSec remote access tunnel group, the PPP dialog box lets you configure or edit the authentication protocols permitted of a PPP connection. This dialog box applies only to IPSec remote access tunnel groups.

Fields

CHAP—Enables the use of the CHAP protocol for a PPP connection.

MS-CHAP-V1—Enables the use of the MS-CHAP-V1 protocol for a PPP connection.

MS-CHAP-V2—Enables the use of the MA-CHAP-V2 protocol for a PPP connection.

PAP—Enables the use of the PAP protocol for a PPP connection.

EAP-PROXY—Enables the use of the EAP-PROXY protocol for a PPP connection. EAP refers to the Extensible Authentication protocol.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General > Basic

On the Add or Edit Tunnel Group window for Site-to-Site Remote Access, the General, Basic dialog box you can specify a name for the tunnel group that you are adding (Add function only) and select the group policy.

On the Edit Tunnel Group window, the General dialog box displays the name and type of the tunnel group you are modifying.

Fields

Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only.

Type—(Display-only) Displays the type of tunnel group you are adding or editing. The contents of this field depend on your selection on the previous window.

Group Policy—Lists the currently configured group policies. The default value is the default group policy, DfltGrpPolicy.

Strip the realm (administrative domain) from the username before passing it on to the AAA server—Enables or disables stripping the realm from the username before passing the username on to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username during authentication. You can append the realm name to the username for AAA: authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.


Note You can append both the realm and the group to a username, in which case the security appliance uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the security appliance cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.


Strip the group from the username before passing it on to the AAA server—Enables or disables stripping the group name from the username before passing the username on to the AAA server. Check Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box. When you append a group name to a username using a delimiter, and enable Group Lookup, the security appliance interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.

Override account-disabled indication from AAA server—Overrides an account-disabled indication from a AAA server.


Note Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. If you do not also check the Enable notification prior to expiration check box, the user receives notification only after the password has expired.

Enable notification prior to expiration—When you check this option, the security appliance notifies the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, it enables the notification. If you check this check box, you must also specify the number of days.

Notify...days prior to expiration—Specifies the number of days before the current password expires to notify the user of the pending expiration. The range is 1 through 180 days.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec

The Add or Edit Tunnel Group window for IPSec for Site-to-Site access, IPSec dialog box, lets you configure or edit IPSec Site-to-Site-specific tunnel group parameters.

Fields

Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only.

Type—(Display-only) Displays the type of tunnel group you are adding or editing. The contents of this field depend on your selection on the previous window.

Pre-shared Key—Lets you specify the value of the pre-shared key for the tunnel group. The maximum length of the pre-shared key is 128 characters.

Trustpoint Name—Selects a trustpoint name, if any trustpoints are configured. A trustpoint is a representation of a certificate authority. A trustpoint contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.

Authentication Mode—Specifies the authentication mode: none, xauth, or hybrid.

none—Specifies no authentication mode.

xauth—Specifies the use of IKE Extended Authentication mode, which provides the capability of authenticating a user within IKE using TACACS+ or RADIUS.

hybrid—Specifies the use of Hybrid mode, which lets you use digital certificates for security appliance authentication and a different, legacy method—such as RADIUS, TACACS+ or SecurID—for remote VPN user authentication. This mode breaks phase 1 of the Internet Key Exchange (IKE) into the following steps, together called hybrid authentication:

1. The security appliance authenticates to the remote VPN user with standard public key techniques. This establishes an IKE security association that is unidirectionally authenticated.

2. An extended authentication (xauth) exchange then authenticates the remote VPN user. This extended authentication can use one of the supported legacy authentication methods.


Note Before setting the authentication type to hybrid, you must configure the authentication server and create a pre-shared key.


IKE Peer ID Validation—Selects whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate.

Enable sending certificate chain—Enables or disables sending the entire certificate chain. This action includes the root certificate and any subordinate CA certificates in the transmission.

ISAKMP Keep Alive—Enables and configures ISAKMP keep alive monitoring.

Disable Keep Alives—Enables or disables ISAKMP keep alives.

Monitor Keep Alives—Enables or disables ISAKMP keep alive monitoring. Selecting this option makes available the Confidence Interval and Retry Interval fields.

Confidence Interval—Specifies the ISAKMP keep alive confidence interval. This is the number of seconds the security appliance should allow a peer to idle before beginning keepalive monitoring. The minimum is 10 seconds; the maximum is 300 seconds. The default for a remote access group is 300 seconds.

Retry Interval—Specifies number of seconds to wait between ISAKMP keep alive retries. The default is 2 seconds.

Head end will never initiate keepalive monitoring—Specifies that the central-site security appliance never initiates keepalive monitoring.

Interface-Specific Authentication Mode—Specifies the authentication mode on a per-interface basis.

Interface—Lets you select the interface name. The default interfaces are inside and outside, but if you have configured a different interface name, that name also appears in the list.

Authentication Mode—Lets you select the authentication mode, none, xauth, or hybrid, as above.

Interface/Authentication Mode table—Shows the interface names and their associated authentication modes that are selected.

Add—Adds an interface/authentication mode pair selection to the Interface/Authentication Modes table.

Remove—Removes an interface/authentication mode pair selection from the Interface/Authentication Modes table.

Client VPN Software Update Table—Lists the client type, VPN Client revisions, and image URL for each client VPN software package installed. For each client type, you can specify the acceptable client software revisions and the URL or IP address from which to download software upgrades, if necessary. The client update mechanism (described in detail under the Client Update window) uses this information to determine whether the software each VPN client is running is at an appropriate revision level and, if appropriate, to provide a notification message and an update mechanism to clients that are running outdated software.

Client Type—Identifies the VPN client type.

VPN Client Revisions—Specifies the acceptable revision level of the VPN client.

Image URL—Specifies the URL or IP address from which the correct VPN client software image can be downloaded. For Windows-based VPN clients, the URL must be of the form http:// or https://. For ASA 5505 in client mode or VPN 3002 hardware clients, the URL must be of the form tftp://.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > Clientless SSL VPN Access > General > Basic

The Add or Edit pane, General, Basic dialog box lets you specify a name for the tunnel group that you are adding, lets you select the group policy, and lets you configure password management.

On the Edit Tunnel Group window, the General dialog box displays the name and type of the selected tunnel group. All other functions are the same as for the Add Tunnel Group window.

Fields

Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is display-only.

Type—Displays the type of tunnel group you are adding or editing. For Edit, this is a display-only field whose contents depend on your selection in the Add window.

Group Policy—Lists the currently configured group policies. The default value is the default group policy, DfltGrpPolicy.

Strip the realm —Not available for Clientless SSL VPN.

Strip the group —Not available or Clientless SSL VPN.

Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.

Override account-disabled indication from AAA server—Overrides an account-disabled indication from a AAA server.


Note Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. If you do not also check the Enable notification prior to expiration check box, the user receives notification only after the password has expired.

Enable notification prior to expiration—When you check this option, the security appliance notifies the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, it enables the notification. If you check this check box, you must also specify the number of days.

Notify...days prior to expiration—Specifies the number of days before the current password expires to notify the user of the pending expiration. The range is 1 through 180 days.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Tunnel Group > Clientless SSL VPN > Basic

The attributes on the Add/Edit Tunnel Group General Tab dialog boxes for Clientless SSL VPN are the same as those for Add/Edit Tunnel Group General dialog boxes for IPSec Remote Access. The following description applies to the fields appearing on the Clientless SSL VPN dialog boxes.

Fields

The Basic dialog box lets you configure the following attributes for Clientless SSL VPN:

Authentication—Specifies the type of authentication to perform: AAA, Certificate, or Both. The default value is AAA.

DNS Group—Specifies the DNS server to use for a connection profile. The default value is DefaultDNS.

CSD Failure group policy—This attribute is valid only for security appliances with Cisco Secure Desktop installed. The security appliance uses this attribute to limit access rights to remote CSD clients if you use Cisco Secure Desktop Manager to set the VPN feature policy to one of the following options:

"Use Failure Group-Policy."

"Use Success Group-Policy, if criteria match," and the criteria fail to match.

This attribute specifies the name of the failure group policy to be applied. Choose a group policy to differentiate access rights from those associated with the default group policy. The default value is DfltGrpPolicy.


Note The security appliance does not use this attribute if you set the VPN feature policy to "Always use Success Group-Policy."


For more information, see the Cisco Secure Desktop Configuration Guide for Cisco ASA 5500 Series Administration Guide

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Internal Group Policy IPSec Client Attributes

Use this window to specify whether to strip the realm and group from the username before passing them to the AAA server, and to specify password management options.

Fields

Strip the realm from username before passing it on to the AAA server—Enables or disables stripping the realm (administrative domain) from the username before passing the username on to the AAA server. Check the Strip Realm check box to remove the realm qualifier of the username during authentication. You can append the realm name to the username for AAA: authorization, authentication and accounting. The only valid delimiter for a realm is the @ character. The format is username@realm, for example, JaneDoe@it.cisco.com. If you check this Strip Realm check box, authentication is based on the username alone. Otherwise, authentication is based on the full username@realm string. You must check this box if your server is unable to parse delimiters.


Note You can append both the realm and the group to a username, in which case the security appliance uses parameters configured for the group and for the realm for AAA functions. The format for this option is username[@realm]]<#or!>group], for example, JaneDoe@it.cisco.com#VPNGroup. If you choose this option, you must use either the # or ! character for the group delimiter because the security appliance cannot interpret the @ as a group delimiter if it is also present as the realm delimiter.

A Kerberos realm is a special case. The convention in naming a Kerberos realm is to capitalize the DNS domain name associated with the hosts in the Kerberos realm. For example, if users are in the it.cisco.com domain, you might call your Kerberos realm IT.CISCO.COM.


Strip the group from the username before passing it on to the AAA server—Enables or disables stripping the group name from the username before passing the username on to the AAA server. Check Strip Group to remove the group name from the username during authentication. This option is meaningful only when you have also checked the Enable Group Lookup box. When you append a group name to a username using a delimiter, and enable Group Lookup, the security appliance interprets all characters to the left of the delimiter as the username, and those to the right as the group name. Valid group delimiters are the @, #, and ! characters, with the @ character as the default for Group Lookup. You append the group to the username in the format username<delimiter>group, the possibilities being, for example, JaneDoe@VPNGroup, JaneDoe#VPNGroup, and JaneDoe!VPNGroup.

Password Management—Lets you configure parameters relevant to overriding an account-disabled indication from a AAA server and to notifying users about password expiration.

Override account-disabled indication from AAA server—Overrides an account-disabled indication from a AAA server.


Note Allowing override account-disabled is a potential security risk.


Enable notification upon password expiration to allow user to change password—Checking this check box makes the following two parameters available. You can select either to notify the user at login a specific number of days before the password expires or to notify the user only on the day that the password expires. The default is to notify the user 14 days prior to password expiration and every day thereafter until the user changes the password. The range is 1 through 180 days.


Note This does not change the number of days before the password expires, but rather, it enables the notification. If you select this option, you must also specify the number of days.


In either case, and, if the password expires without being changed, the security appliance offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password.

This parameter is valid for AAA servers that support such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Client Addressing for SSL VPN Connections

Use this window to specify the global client address assignment policy and to configure interface-specific address pools. You can also add, edit, or delete interface-specific address pools using this window. The table at the bottom of the window lists the configured interface-specific address pools.

Fields

Global Client Address Assignment Policy—Configures a policy that affects all IPSec and SSL VPN Client connections (including AnyConnect client connections). The security appliance uses the selected sources in order, until it finds an address:

Use authentication server—Specifies that the security appliance should attempt to use the authentication server as the source for a client address.

Use DHCP—Specifies that the security appliance should attempt to use DHCP as the source for a client address.

Use address pool—Specifies that the security appliance should attempt to use address pools as the source for a client address.

Interface-Specific Address Pools—Lists the configured interface-specific address pools.

Add—Opens the Assign Address Pools to Interface window, on which you can select an interface and select an address pool to assign.

Edit—Opens the Assign Address Pools to Interface window with the interface and address pool fields filled in.

Delete—Deletes the selected interface-specific address pool. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Assign Address Pools to Interface

Use this dialog box to select an interface and assign one or more address pools to that interface.

Fields

Interface—Select the interface to which you want to assign an address pool. The default is DMZ.

Address Pools—Specify an address pool to assign to the specified interface.

Select—Opens the Select Address Pools dialog box, on which you can select one or more address pools to assign to this interface. Your selection appears in the Address Pools field of the Assign Address Pools to Interface dialog box.

Select Address Pools

The Select Address Pools window shows the pool name, starting and ending addresses, and subnet mask of address pools available for client address assignment and lets you add, edit, or delete entries from that list.

Fields

Add—Opens the Add IP Pool window, on which you can configure a new IP address pool.

Edit—Opens the Edit IP Pool window, on which you can modify a selected IP address pool.

Delete—Removes the selected address pool. There is no confirmation or undo.

Assign—Displays the address pool names that remained assigned to the interface. Double-click each unassigned pool you want to add to the interface. The Assign field updates the list of pool assignments.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add or Edit an IP Address Pool

Configures or modifies an IP address pool.

Fields

Name—Specifies the name assigned to the IP address pool.

Starting IP Address—Specifies the first IP address in the pool.

Ending IP Address—Specifies the last IP address in the pool.

Subnet Mask—Selects the subnet mask to apply to the addresses in the pool.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Authenticating SSL VPN Connections

The SSL VPN Connections > Advanced > Authentication window lets you configure authentication attributes for SSL VPN connections.

System Options

The System Options pane lets you configure features specific to VPN sessions on the security appliance.

Fields

Enable inbound IPSec sessions to bypass interface access-lists. Group policy and per-user authorization access lists still apply to the traffic—By default, the security appliance allows VPN traffic to terminate on a security appliance interface; you do not need to allow IKE or ESP (or other types of VPN packets) in an access rule. When this option is checked, you also do not need an access rule for local IP addresses of decrypted VPN packets. Because the VPN tunnel was terminated successfully using VPN security mechanisms, this feature simplifies configuration and maximizes the security appliance performance without any security risks. (Group policy and per-user authorization access lists still apply to the traffic.)

You can require an access rule to apply to the local IP addresses by unchecking this option. The access rule applies to the local IP address, and not to the original client IP address used before the VPN packet was decrypted.

Limit the maximum number of active IPSec VPN sessions—Enables or disables limiting the maximum number of active IPSec VPN sessions. The range depends on the hardware platform and the software license.

Maximum Active IPSec VPN Sessions—Specifies the maximum number of active IPSec VPN sessions allowed. This field is active only when you select the preceding check box to limit the maximum number of active IPSec VPN sessions.

L2TP Tunnel Keep-alive Timeout—Specifies the frequency, in seconds, of keepalive messages. The range is 10 through 300 seconds. The default is 60 seconds.

Preserve stateful VPN flows when tunnel drops for Network-Extension Mode (NEM)—Enables or disables preserving IPsec tunneled flows in Network-Extension Mode. With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout window, data continues flowing successfully because the security appliance still has access to the state information. This option is disabled by default.


Note Tunneled TCP flows are not dropped, so they rely on the TCP timeout for cleanup. However, if the timeout is disabled for a particular tunneled flow, that flow remains in the system until being cleared manually or by other means (for example, by a TCP RST from the peer).


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring SSL VPN Connections, Advanced

The advanced options include configuring split tunneling, IE browser proxy, and group-policy related attributes for SSL VPN/AnyConnect clients and IPSec clients.

Configuring Split Tunneling

Split tunneling lets you specify that certain data traffic is encrypted ("goes through the tunnel"), while the remainder is sent in the clear (unencrypted). Split-tunneling network lists distinguish networks that require traffic to go through the tunnel from those that do not require tunneling. the security appliance makes split-tunneling decisions based on a network list, which is an ACL consisting of a list of addresses on the private network.

Fields

DNS Names—Specify one or more DNS names to which this policy applies.

Policy—Selects the split-tunneling policy, specifying whether to include or exclude from the tunnel the indicated network lists. If you do not select Inherit, the default is Exclude Network List Below.

Network List—Selects the networks to which to apply the split-tunneling policy. If you do not select Inherit, the default is --None--.

Manage—Opens the ACL Manager dialog box, on which you can configure access control lists to use as network lists.

Intercept DHCP Configuration Message from Microsoft Clients—Reveals additional parameters specific to DHCP Intercept. DCHP Intercept lets Microsoft XP clients use split-tunneling with the security appliance. For Windows clients prior to XP, DHCP Intercept provides the domain name and subnet mask.

Intercept—Specifies whether to allow the DHCP Intercept to occur. If you do not select, Inherit, the default setting is No.

Subnet Mask—Selects the subnet mask to use.

Zone Labs Integrity Server

The Zone Labs Integrity Server panel lets you configure the security appliance to support a Zone Labs Integrity Server. This server is part of the Integrity System, a system designed to enforce security policies on remote clients entering the private network. In essence, the security appliance acts as a proxy for the client PC to the Firewall Server and relays all necessary Integrity information between the Integrity client and the Integrity server.


Note The current release of the security appliance supports one Integrity Server at a time even though the user interfaces support the configuration of up to five Integrity Servers. If the active Server fails, configure another Integrity Server on the security appliance and then reestablish the client VPN session.


Fields

Server IP address—Type the IP address of the Integrity Server. Use dotted decimal notation.

Add—Adds a new server IP address to the list of Integrity Servers. This button is active when an address is entered in the Server IP address field.

Delete—Deletes the selected server from the list of Integrity Servers.

Move Up—Moves the selected server up in the list of Integrity Servers. This button is available only when there is more than one server in the list.

Move Down—Moves the selected server down in the list of Integrity Servers. This button is available only when there is more than one server in the list.

Server Port—Type the security appliance port number on which it listens to the active Integrity server. This field is available only if there is at least one server in the list of Integrity Servers. The default port number is 5054, and it can range from 10 to 10000. This field is only available when there is a server in the Integrity Server list.

Interface—Choose the interface security appliance interface on which it communicates with the active Integrity Server. This interface name menu is only available when there is a server in the Integrity Server list.

Fail Timeout—Type the number of seconds that the security appliance should wait before it declares the active Integrity Server to be unreachable. The default is 10 and the range is from 5 to 20.

SSL Certificate Port: Specify the security appliance port to be used for SSL Authorization. The default is port 80.

Enable SSL Authentication—Check to enable authentication of the remote client SSL certificate by the security appliance. By default, client SSL authentication is disabled.

Close connection on timeout—Check to close the connection between the security appliance and the Integrity Server on a timeout. By default, the connection remains open.

Apply—Click to apply the Integrity Server setting to the security appliance running configuration.

Reset—Click to remove Integrity Server configuration changes that have not yet been applied.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Easy VPN Remote

Easy VPN Remote lets the ASA 5505 act as an Easy VPN client device. The ASA 5505 can then initiate a VPN tunnel to an Easy VPN server, which can be a security appliance, a Cisco VPN 3000 Concentrator, an IOS-based router, or a firewall acting as an Easy VPN server.

The Easy VPN client supports one of two modes of operation: Client Mode or Network Extension Mode (NEM). The mode of operation determines whether the Easy VPN Client inside hosts are accessible from the Enterprise network over the tunnel. Specifying a mode of operation is mandatory before making a connection because Easy VPN Client does not have a default mode.

Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the Easy VPN Client private network from those on the enterprise network. The Easy VPN Client performs Port Address Translation (PAT) for all VPN traffic for its inside hosts. IP address management is neither required for the Easy VPN Client inside interface or the inside hosts.

NEM makes the inside interface and all inside hosts routable across the enterprise network over the tunnel. Hosts on the inside network obtain their IP addresses from an accessible subnet (statically or via DHCP) pre-configured with static IP addresses. PAT does not apply to VPN traffic in NEM. This mode does not require a VPN configuration for each client. The Cisco ASA 5505 configured for NEM mode supports automatic tunnel initiation. The configuration must store the group name, user name, and password. Automatic tunnel initiation is disabled if secure unit authentication is enabled.

The network and addresses on the private side of the Easy VPN Client are hidden, and cannot be accessed directly.

Fields

Enable Easy VPN Remote—Enables the Easy VPN Remote feature and makes available the rest of the fields on this window for configuration.

Mode—Selects either Client mode or Network extension mode.

Client mode—Uses Port Address Translation (PAT) mode to isolate the addresses of the inside hosts, relative to the client, from the enterprise network.

Network extension mode—Makes those addresses accessible from the enterprise network.


Note If the Easy VPN Remote is using NEM and has connections to secondary servers, establish an ASDM connection to each headend and check Enable Reverse Route Injection on the Configuration > VPN > IPSec > IPSec Rules > Tunnel Policy (Crypto Map) - Advanced dialog box to configure dynamic announcements of the remote network using RRI.


Auto connect—The Easy VPN Remote establishes automatic IPSec data tunnels unless both of the following are true: Network extension mode is configured locally, and split-tunneling is configured on the group policy pushed to the Easy VPN Remote. If both are true, checking this attribute automates the establishment of IPSec data tunnels. Otherwise, this attribute has no effect.

Group Settings—Specifies whether to use a pre-shared key or an X.509 certificate for user authentication.

Pre-shared key—Enables the use of a pre-shared key for authentication and makes available the subsequent Group Name, Group Password, and Confirm Password fields for specifying the group policy name and password containing that key.

Group Name—Specifies the name of the group policy to use for authentication.

Group Password—Specifies the password to use with the specified group policy.

Confirm Password—Requires you to confirm the group password just entered.

X.509 Certificate—Specifies the use of an X.509 digital certificate, supplied by a Certificate Authority, for authentication.

Select Trustpoint—Lets you select a trustpoint, which can be an IP address or a hostname, from the drop-down list. To define a trustpoint, click the link to Trustpoint(s) configuration at the bottom of this area.

Send certificate chain—Enables sending a certificate chain, not just the certificate itself. This action includes the root certificate and any subordinate CA certificates in the transmission.

User Settings—Configures user login information.

User Name—Configures the VPN username for the Easy VPN Remote connection. Xauth provides the capability of authenticating a user within IKE using TACACS+ or RADIUS. Xauth authenticates a user (in this case, the Easy VPN hardware client) using RADIUS or any of the other supported user authentication protocols. The Xauth username and password parameters are used when secure unit authentication is disabled and the server requests Xauth credentials. If secure unit authentication is enabled, these parameters are ignored, and the security appliance prompts the user for a username and password.

User Password—Configures the VPN user password for the Easy VPN Remote connection.

Confirm Password—Requires you to confirm the user password just entered.

Easy VPN Server To Be Added—Adds or removes an Easy VPN server. Any ASA or VPN 3000 Concentrator Series can act as a Easy VPN server. A server must be configured before a connection can be established. The security appliance supports IPv4 addresses, the names database, or DNS names and resolves addresses in that order. The first server in the Easy VPN Server(s) list is the primary server. You can specify a maximum of ten backup servers in addition to the primary server.

Name or IP Address—The name or IP address of an Easy VPN server to add to the list.

Add—Moves the specified server to the Easy VPN Server(s) list.

Remove—Moves the selected server from the Easy VPN Server(s) list to the Name or IP Address file. Once you do this, however, you cannot re-add the same address unless you re-enter the address in the Name or IP Address field.

Easy VPN Server(s)—Lists the configured Easy VPN servers in priority order.

Move Up/Move Down—Changes the position of a server in the Easy VPN Server(s) list. These buttons are available only when there is more than one server in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Advanced Easy VPN Properties

Device Pass-Through

Certain devices like Cisco IP phones, printers, and the like are incapable of performing authentication, and therefore of participating in individual unit authentication. To accommodate these devices, the device pass-through feature, enabled by the MAC Exemption attributes, exempts devices with the specified MAC addresses from authentication when Individual User Authentication is enabled.

The first 24 bits of the MAC address indicate the manufacturer of the piece of equipment. The last 24 bits are the unit's serial number in hexadecimal format.

Tunneled Management

When operating an ASA model 5505 device behind a NAT device, use the Tunneled Management attributes to specify how to configure device management— in the clear or through the tunnel—and specify the network or networks allowed to manage the Easy VPN Remote connection through the tunnel. The public address of the ASA 5505 is not accessible when behind the NAT device unless you add static NAT mappings on the NAT device.

When operating a Cisco ASA 5505 behind a NAT device, use the vpnclient management command to specify how to configure device management— with additional encryption or without it—and specify the hosts or networks to be granted administrative access. The public address of the ASA 5505 is not accessible when behind the NAT device unless you add static NAT mappings on the NAT device.

Fields

MAC Exemption—Configures a set of MAC addresses and masks used for device pass-through for the Easy VPN Remote connection

MAC Address—Exempts the device with the specified MAC address from authentication. The format for specifying the MAC address this field uses three hex digits, separated by periods; for example, 45ab.ff36.9999.

MAC Mask—The format for specifying the MAC mask in this field uses three hex digits, separated by periods; for example, the MAC mask ffff.ffff.ffff matches just the specified MAC address. A MAC mask of all zeroes matches no MAC address, and a MAC mask of ffff.ff00.0000 matches all devices made by the same manufacturer.

Add—Adds the specified MAC address and mask pair to the MAC Address/Mask list.

Remove—Moves the selected MAC address and mask pair from the MAC Address/MAC list to the individual MAC Address and MAC Mask fields.

Tunneled Management—Configures IPSec encryption for device management and specifies the network or networks allowed to manage the Easy VPN hardware client connection through the tunnel. Selecting Clear Tunneled Management merely removes that IPSec encryption level and does not affect any other encryption, such as SSH or https, that exists on the connection.

Enable Tunneled Management—Adds a layer of IPSec encryption to the SSH or HTTPS encryption already present in the management tunnel.

Clear Tunneled Management—Uses the encryption already present in the management tunnel, without additional encryption.

IP Address— Specifies the IP address of the host or network to which you want to grant administrative access to the Easy VPN hardware client through the VPN tunnel. You can individually add one or more IP addresses and their respective network masks.

Mask—Specifies the network mask for the corresponding IP address.

Add—Moves the specified IP address and mask to the IP Address/Mask list.

Remove—Moves the selected IP address and mask pair from the IP Address/Mask list to the individual IP Address and Mask fields in this area.

IP Address/Mask—Lists the configured IP address and mask pairs to be operated on by the Enable or Clear functions in this area.

IPSec Over TCP—Configure the Easy VPN Remote connection to use TCP-encapsulated IPSec.

Enable—Enables IPSec over TCP.


Note Choose Configuration > VPN > IPSec > Pre-Fragmentation, double-click the outside interface, and set the DF Bit Setting Policy to Clear if you configure the Easy VPN Remote connection to use TCP-encapsulated IPSec. The Clear setting lets the security appliance send large packets.


Enter Port Number—Specifies the port number to use for the IPSec over TCP connection.

Server Certificate—Configures the Easy VPN Remote connection to accept only connections to Easy VPN servers with the specific certificates specified by the certificate map. Use this parameter to enable Easy VPN server certificate filtering. To define a certificate map, go to Configuration > VPN > IKE > Certificate Group Matching > Rules.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System