User Guide for Cisco Security Manager 4.0.1
Remote Access VPN Policy Reference
Downloads: This chapterpdf (PDF - 1.02MB) The complete bookPDF (PDF - 24.15MB) | Feedback

Remote Access VPN Policy Reference

Table Of Contents

Remote Access VPN Policy Reference

Remote Access VPN Configuration Wizard

Access Page (ASA)

Connection Profile Page (ASA)

User Groups Selector Page

Create User Group Wizard

Gateway and Context Page (IOS)

Portal Page Customization Page

IPSec VPN Connection Profile Page (ASA)

IPSec Settings Page (ASA)

User Group Policy Page (IOS)

Defaults Page

ASA Cluster Load Balance Page

Connection Profiles Page

General Tab (Connection Profiles)

Add/Edit Interface Specific Client Address Pools Dialog Box

AAA Tab (Connection Profiles)

Add/Edit Interface Specific Authentication Server Groups Dialog Box

Secondary AAA Tab (Connection Profiles)

IPSec Tab (Connection Profiles)

IPSec Client Software Update Dialog Box

SSL Tab (Connection Profiles)

Add/Edit Connection Alias Dialog Box

Add/Edit Connection URL Dialog Box

Dynamic Access Page (ASA)

Add/Edit Dynamic Access Policy Dialog Box

Main Tab

Logical Operators Tab

Advanced Expressions Tab

Cisco Secure Desktop Manager Policy Editor Dialog Box

Global Settings Page

ISAKMP/IPsec Settings Tab

NAT Settings Tab

General Settings Tab

Group Policies Page

Public Key Infrastructure Page

Certificate to Connection Profile Maps > Policies Page

Certificate to Connection Profile Maps > Rules Page

Map Rule Dialog Box (Upper Table)

Map Rule Dialog Box (Lower Table)

High Availability Page

IKE Proposal Page

IPsec Proposal Page

IPsec Proposal Editor Dialog Box (for PIX and ASA Devices)

IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices)

VPNSM/VPN SPA Settings Dialog Box

Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor)

User Group Policy Page

SSL VPN Access Policy Page

Access Interface Configuration Dialog Box

SSL VPN Other Settings Page

Performance Tab

Content Rewrite Tab

Add/Edit Content Rewrite Dialog Box

Encoding Tab

Add/Edit File Encoding Dialog Box

Proxy Tab

Add/Edit Proxy Bypass Dialog Box

Plug-in Tab

Add/Edit Plug-in Entry Dialog Box

SSL VPN Client Settings Tab

Add/Edit AnyConnect Client Image Dialog Box

Add/Edit AnyConnect Client Profile Dialog Box

Advanced Tab

SSL VPN Shared License (ASA 8.2) Page

SSL VPN Policy Page (IOS)

SSL VPN Context Editor Dialog Box (IOS)

General Tab


Remote Access VPN Policy Reference


The Remote Access VPN policy pages are used to configure remote access VPNs on Cisco IOS security routers, PIX Firewalls, Catalyst 6500 /7600 devices, and Adaptive Security Appliance (ASA) devices.

This chapter contains the following topics:

Remote Access VPN Configuration Wizard

ASA Cluster Load Balance Page

Connection Profiles Page

Dynamic Access Page (ASA)

Global Settings Page

Group Policies Page

Public Key Infrastructure Page

Certificate to Connection Profile Maps > Policies Page

Certificate to Connection Profile Maps > Rules Page

High Availability Page

IKE Proposal Page

IPsec Proposal Page

User Group Policy Page

SSL VPN Access Policy Page

SSL VPN Other Settings Page

SSL VPN Shared License (ASA 8.2) Page

SSL VPN Policy Page (IOS)

Remote Access VPN Configuration Wizard

Use the Remote Access VPN Configuration wizard to configure your device with policies that enable it to act as a remote access SSL or IPSec VPN server.

Navigation Path

(Device view only) Select the desired device, and then select Remote Access VPN > Configuration Wizard from the Policy selector.

Related Topics

Using the Remote Access VPN Configuration Wizard, page 26-9

Field Reference

Table 27-1 Remote Access VPN Configuration Wizard 

Element
Description

Remote Access SSL VPN

Click this radio button to choose SSL as the type of remote access VPN to create. The wizard takes you through appropriate steps depending on the type of device selected:

ASA device

a. Access Page (ASA)

b. Connection Profile Page (ASA)

IOS device

a. Gateway and Context Page (IOS)

b. Portal Page Customization Page

Remote Access IPSec VPN

Click this radio button to choose IPSec as the type of remote access VPN to create. The wizard takes you through appropriate steps depending on the type of device selected:

ASA device

a. IPSec VPN Connection Profile Page (ASA)

b. IPSec Settings Page (ASA)

c. Defaults Page

IOS device

a. User Group Policy Page

b. Defaults Page

Remote Access Configuration Wizard button

Click this button to start the configuration wizard.


Access Page (ASA)

Use the Access page of the SSL VPN Configuration Wizard to configure the security appliance interfaces for SSL VPN sessions, select a port for SSL VPN connection profiles, and specify the URLs that will be displayed on the Portal page to access the connection profiles.

Navigation Path

(Device View Only) Open the Remote Access VPN Configuration Wizardfor configuring a remote access SSL VPN on an ASA device. The Access page is the first page that appears.

Related Topics

Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices), page 26-12

Understanding Interface Role Objects, page 6-55

Field Reference

Table 27-2 SSL VPN Wizard—Access Page (ASA) 

Element
Description

Interfaces to Enable SSL VPN Service

Interfaces on which you want to enable the SSL VPN connection profiles. Enter an interface or click Select to select an interface role from a list.

Port Number

Port number to use for the SSL VPN sessions. Enter a port number or click Select to select a port list object that defines the port.

The default port is 443, for HTTPS traffic. The port number can be 443, or within the range of 1024-65535. If you change the port number, all current SSL VPN connections terminate, and current users must reconnect.

Note If HTTP port redirection is enabled, the default HTTP port number is 80.

Portal Page URLs

URLs that will be displayed on the Portal page to access the SSL VPN connection profile.

Allow Users to Select Connection Profile in Portal Page

When selected, enables the user to select a tunnel group at login from a list of tunnel group connection profiles configured on the device. This is the default setting.

Enable AnyConnect Access

When selected, enables the AnyConnect functionality on the ASA device.

Note To enable AnyConnect Essentials, go to Remote Access VPN > SSL VPN > Access. For details, see Configuring an Access Policy, page 26-45.


Connection Profile Page (ASA)

Use the Connection Profile page in the SSL VPN Configuration wizard to configure the tunnel group policies on your security appliance. You can specify a name for the tunnel connection profile policy that you are adding, select the user group policy, specify address pools for this policy, and specify authentication server group settings.

Navigation Path

(Device view only) Open the Remote Access VPN Configuration Wizardfor configuring a remote access SSL VPN on an ASA device; then click Next until you reach this page.

Related Topics

Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices), page 26-12

ASA Group Policies Dialog Box, page 28-1

Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63

Understanding Network/Host Objects, page 6-62

Understanding AAA Server and Server Group Objects, page 6-20

Field Reference

Table 27-3 Connection Profile Page (ASA) 

Element
Description

Connection Profile Name

Name of the tunnel group that contains the policies for this SSL VPN connection profile. Enter a descriptive name.

Group Policy

Default ASA user group associated with the device. Enter an ASA user group policy or click Select to select one from a list or to create a new one.

Full Tunnel

Read-only field that indicates whether full tunnel access mode is configured for the user group.

Group Policies

Names of the ASA user group policies that will be used in your SSL VPN connection profile and whether Full Tunnel access mode is enabled or disabled for them.

Click Edit to select ASA user group policy objects from a list or to create new objects.

Note All SSL VPN connection profiles on an ASA device share one group policy. Each time you create a connection profile using the wizard, the Group Policies list may be populated with data from the previous connection profile defined on the device.

Portal Page Customization

Customization profile that defines the appearance of portal pages and resources available to remote access users on the SSL VPN network. Enter the name of a profile or click Select to select one from a list or to create a new one.

Note You can set up different login windows for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create an SSL VPN tunnel group called sales that uses that customization profile.

Connection URL

URL of the connection profile. This URL provides users with direct access to the customized portal page.

Select a protocol (http or https) from the list and specify the URL, including host name or IP address of the ASA device and port number and the alias used to identify the SSL VPN connection profile.

Note If you do not specify a URL, you can access the portal page by entering the portal page URL, and then selecting the connection profile alias from a list of configured connection profile aliases configured on the device. See Access Page (ASA).

Global IP Address Pool

Address pools from which IP addresses will be assigned. Enter the name of an address pool or click Select to select a network/host object that defines the pool.

The server uses these pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You can specify up to 6 pools.

Authentication Server Group

Name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Enter the name or click Select to select the server group object or to create a new object.

Use LOCAL if Server Group Fails

Whether to fall back to the local database for authentication if the selected authentication server group fails.

Authorization Server Group

Name of the authorization server group (LOCAL if the tunnel group is configured on the local device). Enter the name or click Select to select the server group object or to create a new object.

Accounting Server Group

Name of the accounting server group. Enter the name or click Select to select the server group object or to create a new object.


User Groups Selector Page

Use this page to select the user group(s) that will be used in your SSL VPN connection.

Navigation Path

Depends on the type of device selected:

(IOS device) From the Gateway and Context Page (IOS), click Edit in the Group Policies field.

(ASA device) From the Connection Profile Page (ASA), click Edit in the Group Policies field.

Related Topics

Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 26-10

Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices), page 26-12

Field Reference

Table 27-4 User Groups Selector Page 

Element
Description

Available User Groups

Lists predefined user groups available for selection. Select the required user groups and click >>.

If the required user group is not listed, click Create to create a user group. See Create User Group Wizard.

To modify the properties of a user group, select it and click Edit.

Selected User Groups

Lists the selected user groups.

To remove user groups from this list, select them and click <<.

To modify the properties of a user group, select it and click Edit.

Note To specify a user group as the default user group, select it and click Set As Default. This option is only available for IOS routers.


Create User Group Wizard

Use the Create User Group wizard to create a user group that will be configured on an IOS router or ASA device in your SSL VPN connection.

Navigation Path

From the User Groups Selector Page, click Create or select an item from one of the lists and click Edit.

This section contains the following topics:

Name and Access Method Page

Full Tunnel Dialog Box

Clientless and Thin Client Access Modes Page

Name and Access Method Page

Use this step of the Create User Group wizard to define a name for your user group, and optionally, select the remote access method(s) that will be used to access the SSL-enabled gateway (IOS router) or ASA security appliance.

Navigation Path

In the User Groups Selector Page, click Create.

Related Topics

Create User Group Wizard

SSL VPN Access Modes, page 26-4

Full Tunnel Dialog Box

Clientless and Thin Client Access Modes Page

Field Reference

Table 27-5 Create User Group Wizard—Name and Access Method Page 

Element
Description

Name

Name of the user group. Enter up to 128 characters, including uppercase and lowercase characters and most alphanumeric or symbol characters.

Access Method

Select the required remote access mode option(s), as follows:

Full Tunnel—To access to the corporate network completely over an SSL VPN tunnel. This is the recommended option.

Clientless—To access the internal or corporate network using a web browser on the client machine.

Thin Client—To download a Java applet that acts as a TCP proxy on the client machine.


Full Tunnel Dialog Box


Note This dialog box is only available if you selected the Full Client option in the Name and Access Method Page of the Create User Group wizard.


In this dialog box, you can configure the mode used to access the corporate network.

Navigation Path

Open the Create User Group Wizard, select the Full Client access method option, and then click Next.

Related Topics

Create User Group Wizard

SSL VPN Access Modes, page 26-4

Field Reference

Table 27-6 Create User Group Wizard—Full Tunnel Dialog Box 

Element
Description

Use Other Access Modes if SSL VPN Client Download Fails

When selected, enables the remote client to use clientless or thin client access modes if the SVC download fails.

Full Tunnel

When selected, enables the Full Tunnel access mode to be configured.

Note For the Full Tunnel access mode to work properly, the SSL VPN Client (SVC) software must be installed on the device. The SVC is managed using a FlexConfig policy. For more information, see Predefined FlexConfig Policy Objects, page 7-17.

Client IP Address Pools

Note Available only if the selected device is an IOS router.

IP address pools that clients draw from when they log on. Enter the IP address pools or click Select select the network/host object from a list or to create a new object.

Primary DNS Server

IP address of the primary DNS server to be used for Full Client SSL VPN connections. Enter the IP address or click Select to select a network/host object from a list or to create a new object.

Secondary DNS Server

IP address of a secondary DNS server to be used for Full Client SSL VPN connections. Enter the IP address or click Select to select a network/host object from a list or to create a new object.

Default DNS Domain

Domain name of the DNS server to be used for Full Client SSL VPN connections.

Primary WINS Server

IP address of the primary WINS server to be used for Full Client SSL VPN connections. Enter the IP address or click Select to select a network/host object from a list or to create a new object.

Secondary WINS Server

IP address of a secondary WINS server to be used for Full Client SSL VPN connections. Enter the IP address or click Select to select a network/host object from a list or to create a new object.

Split Tunnel Option

Specifies the traffic that will be transmitted secured or unsecured across the public network:

Disabled—Split tunneling is disabled and no traffic will be secured.

Exclude Specified Networks—Split tunneling is enabled, and traffic to or from networks specified in the Networks field is transmitted unsecured.

Tunnel Specified Networks—Split tunneling is enabled, and traffic to or from networks specified in the Networks field is transmitted secured.

Destinations

Available if the selected device is an IOS router and split tunneling is enabled.

The specified networks to which traffic is transmitted secured or unencrypted, depending on the selected Split Tunneling option.

Multiple entries are separated by commas. You can enter host IP addresses, network addresses (for example, 10.100.10.0/24 or 10.100.10.0/255.255.255.0), or the names of network/host objects.

You can click Select to select network/host objects or to create new objects.

Networks

Note Available if the selected device is an ASA security appliance and split tunneling is enabled.

Name of the ACL object that defines network access.

Exclude Local LANs

Note Available if the selected device is an IOS router and split tunneling is enabled.

When selected, disallows a non split-tunneling connection to access the local subnetwork at the same time as the client.

Split DNS Names

List of domain names that must be tunneled or resolved to the private network. All other names will be resolved using the public DNS server.


Clientless and Thin Client Access Modes Page

In the Clientless and Thin Client page of the Create User group wizard, you can configure the Clientless and Thin Client modes to be used for accessing the corporate network in your SSL VPN.


Note This page is only available if you selected the Clientless or Thin Client options in step 1 of the Create User Group wizard (Name and Access Method Page).


Navigation Path

Open the Create User Group Wizard, select the Clientless or Thin Client access method options, and then click Next.

Related Topics

Create User Group Wizard

SSL VPN Access Modes, page 26-4

Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 26-68

Add or Edit Port Forwarding List Dialog Boxes, page 28-42

Field Reference

Table 27-7 Create User Group Wizard—Clientless and Thin Client Page 

Element
Description

Clientless—Appears only if you selected Clientless in step 1 of the wizard.

Portal Page Websites

List of websites that are displayed on the portal page as a bookmark to enable users to access the resources available on the SSL VPN websites.

You can click Select to open the URL List Selector from which you can select the required URL List from a list of URL List objects.

Allow Users to Enter Websites

When selected, enables remote users to input the website URLs directly.

Thin Client—Appears only if you selected Thin Client in step 1 of the wizard.

Port Forwarding List

Port Forwarding List that defines the mapping of the port number on the client machine to the application's IP address and port behind the SSL VPN gateway.

You can click Select to open the Port Forwarding List Selector from which you can select the required Port Forwarding List from a list of Port Forwarding List objects.

Port Forwarding Applet Name

Available only if the selected device is an ASA security appliance.

Java applet that will be used as a TCP proxy on the client machine. The Java applet starts a new SSL connection for every client connection.

The Java applet initiates an HTTP request from the remote user client to the ASA device. The name and port number of the internal email server is included in the HTTP request. A TCP connection is created to that internal email server and port.

Download Port Forwarding Applet on Client Login

When selected, enables a port-forwarding Java applet to be automatically downloaded when the remote client logs in.


Gateway and Context Page (IOS)

A gateway and context must be configured on a device before a remote user can access resources on a private network behind the SSL VPN. Use this step of the SSL VPN Configuration wizard to specify a gateway and context configuration, including information that will allow users to access a portal page.

Navigation Path

(Device view) Open the Remote Access VPN Configuration Wizardfor configuring a remote access SSL VPN on an IOS device. The Gateway and Context page is the first page that appears.

Related Topics

Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 26-10

Add or Edit SSL VPN Gateway Dialog Box, page 28-63

Understanding AAA Server and Server Group Objects, page 6-20

Field Reference

Table 27-8 Gateway and Context Page 

Element
Description

Gateway

Gateway to be used as a proxy for connections to the protected resources in your SSL VPN.

Options are:

Use Existing Gateway—When selected, enables you to use an existing gateway for your SSL VPN.

Create Using IP Address—When selected, enables you to configure a new gateway using a reachable (public static) IP address on the router.

Create Using Interface—When selected, enables you to configure a new gateway using the public static IP address of the router interface.

Gateway Name

Name of the SSL VPN gateway policy object. Enter the name of the gateway object or click Select to select it from a list or to create a new object.

Note After selecting the gateway, the port number and digital certificate required to establish a secure connection are displayed in the relevant fields.

Port

Note Available only if you selected to create a gateway using the router's IP address or interface.

Number of the port that will carry the HTTPS traffic (between 1024 and 65535). The default is 443, unless HTTP port redirection is enabled, in which case the default HTTP port number is 80.

Specify the port number or click Select to select a port list object from a list or to create a new object.

Trustpoint

Note Available only if you selected to create a new gateway using the router's IP address or interface.

Digital certificate required to establish a secure connection. If you need to configure a specific CA certificate, a self-signed certificate is generated when an SSL VPN gateway is activated. All gateways on the router can use the same certificate.

Context Name

Name of the context that identifies the resources needed to support the SSL VPN tunnel between the remote clients and the corporate or private intranet.

Tip To simplify management of multiple context configurations, it is recommended that you use the domain or virtual hostname for the context name.

Portal Page URL

URL that is displayed on the Portal page to access the SSL VPN gateway.

Group Policies

Names of the group policies used in your SSL VPN connection, and whether Full Tunnel access mode is enabled or disabled for them.

Enter a group policy name or click Edit to open the User Groups Selector Page.

Authentication Server Group

Name of the authentication server group (LOCAL if the users are defined on the local device).

Enter an authentication server group name or click Select to select a server group object from a list or to create a new object.

Authentication Domain

Specifies a list or method for SSL VPN remote user authentication.

Note If you do not specify a list or method, the SSL VPN gateway uses global AAA parameters for remote-user authentication.

Accounting Server Group

Name of the accounting server group.

Enter an accounting server group name or click Select to select a server group object from a list or to create a new object.


Portal Page Customization Page

Use this step of the SSL VPN Configuration wizard to define the appearance of the portal page that remote users see when connecting to the SSL VPN. The portal page allows remote users access to all websites available on the SSL VPN networks.

Navigation Path

(Device view) Open the Remote Access VPN Configuration Wizardfor configuring a remote access SSL VPN on an IOS device; then click Next until you reach this page.

Related Topics

Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 26-10

Field Reference

Table 27-9 Portal Page Customization Page 

Element
Description

Title

Title that is displayed in the title bar of the portal page.

The default title is "SSL VPN Service."

Logo

Logo to be displayed on the title bar of the SSL VPN login and portal page.

Options are:

None—No logo is displayed.

Default—To use the default logo.

Custom—When selected, enables you to specify your own logo. Specify the source image file for the logo in the Logo File field, or click Select to select an image file.

The source image file for the logo can be a gif, jpg, or png file, with a filename of up to 255 characters, and up to 100 kilobytes in size.

Login Message

Message that will be displayed to the user upon login.

Primary Title Color

Color of the title bars on the login and portal pages of the SSL VPN.

Click Select to open a dialog box in which you can choose the required color for the title bars.

Secondary Title Color

Color of the secondary title bars on the login and portal pages of the SSL VPN.

Click Select to open a dialog box in which you can choose the required color for the secondary title bars.

Primary Text Color

Color of the text on the title bars of the login and portal pages.

Options are white or black (the default).

Note The color of the text must be aligned with the color of the text on the title bar.

Secondary Text Color

Color of the text on the secondary title bars of the login and portal pages.

Options are white or black (the default).

Note The color of the text must be aligned with the color of the text on the secondary title bar.

Preview

A preview of how the portal page will appear.


IPSec VPN Connection Profile Page (ASA)

Use the Connection Profile page to configure the connection profile policies on your security appliance. You can specify a name for the connection profile policy that you are adding, select the user group policy, specify address pools for this policy, and specify authentication, authorization, and accounting server group settings.

Navigation Path

(Device view) Open the Remote Access VPN Configuration Wizardfor configuring a remote access IPsec VPN on an ASA device. The IPSec Connection Profile page is the first page that appears.

Related Topics

Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices), page 26-14

Field Reference

Table 27-10 IPSec Connection Profile Page (ASA) 

Element
Description

Connection Profile Name

Name of the connection profile that contains the policies for this IPSec VPN connection profile.

Group Policy

Default group policy associated with the device. Enter a name or click Select to select the object from a list or to create a new object.

Global IP Address Pool

Address pools from which IP addresses are assigned. The server uses these address pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You can specify up to 6 pools.

Enter the name of a network/host object or click Select to select the object from a list or to create a new object.

Authentication Server Group

Name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Enter a name or click Select to select the server group from a list or to create a new object.

Use LOCAL if Server Group Fails

Whether to fall back to the local database for authentication if the selected authentication server group fails.

Authorization Server Group

Name of the authorization server group (LOCAL if the tunnel group is configured on the local device). Enter a name or click Select to select the server group from a list or to create a new object.

Accounting Server Group

Name of the accounting server group. Enter a name or click Select to select the server group from a list or to create a new object.


IPSec Settings Page (ASA)

Use the IPSec Settings page of the IPSec VPN Configuration Wizard to configure IPSec settings on your security appliance.

Navigation Path

(Device View) Open the Remote Access VPN Configuration Wizardfor configuring a remote access IPsec VPN on an ASA device; then click Next until you reach this page.

Related Topics

Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices), page 26-14

Field Reference

Table 27-11 IPSec VPN Wizard—IPSec Settings (ASA) 

Element
Description

Preshared Key

The value of the preshared key for the tunnel group. The maximum length of a preshared key is 127 characters.

Note You must retype this value in the Confirm field.

Trustpoint Name

The trustpoint name if any trustpoints are configured. A trustpoint represents a CA/identity pair and contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.

IKE Peer ID Validation

Select whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate. During IKE negotiations, peers must identify themselves to one another.

Enable Sending Certificate Chain

When selected, enables the sending of the certificate chain for authorization. A certificate chain includes the root CA certificate, identity certificate, and key pair.

Enable Password Update with RADIUS Authentication

When selected, enables passwords to be updated with the RADIUS authentication protocol.

For more information, see Supported AAA Server Types, page 6-21.

ISAKMP Keepalive

Monitor Keepalive

When selected, enables you to configure IKE keepalive as the default failover and routing mechanism.

For more information, see Understanding ISAKMP/IPsec Settings, page 22-13.

Confidence Interval

The number of seconds that a device waits between sending IKE keepalive packets.

Retry Interval

The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds.

Client Software Update

All Windows Platforms

When selected, enables you to configure the specific revision level and image URL of the VPN client on all Windows platforms.

Windows 95/98/ME

When selected, enables you to configure the specific revision level and image URL of the VPN client on Windows 95/98/ME platforms.

Windows NT4.0/2000/XP

When selected, enables you to configure the specific revision level and image URL of the VPN client on NT4.0/2000/XP platforms.

VPN3002 Hardware Client

When selected, enables you to configure the specific revision level and image URL of the VPN3002 hardware client.


User Group Policy Page (IOS)

Use the User Group Policy page to specify user groups for your remote access IPSec VPN server.You can configure user groups on a Cisco IOS router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device.

Navigation Path

(Device View) Open the Remote Access VPN Configuration Wizardfor configuring a remote access IPSec VPN on an IOS device; then click Next until you reach this page.

Related Topics

Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 26-11

Field Reference

Table 27-12 User Group Policy Page 

Element
Description

Available User Groups

Lists the predefined user groups available for selection.

Select the required user groups and click >>.

In Security Manager, user groups are objects. If the required user group is not in the list, click Create to open the User Groups Editor dialog box, which enables you to create or edit a user group object. See Add or Edit User Group Dialog Box, page 28-68.

Selected User Groups

Displays the selected user groups.

To remove a user group from this list, select it and click <<.

To modify the properties of a user group, select it and click Edit.


Defaults Page

Use the VPN Defaults page of the Remote Access IPSec Configuration Wizard to view and select the default site-to-site VPN policies that will be assigned to the VPN topology you are creating. For each policy type, you can assign either the factory default policy (a private policy) or a shared policy. When you click Finish, the selected policies are assigned to your device.

The drop-down lists for each policy type list the existing shared policies that you can select. You can select a policy and click the View Content button to see the definition of that policy. In some cases, you are allowed to make changes, but you cannot save them. The policy types listed differ based on device type.


Note If you try to select a default policy that is currently locked by another user, a message is displayed warning you of a lock problem. To bypass the lock, select a different policy or cancel the VPN topology creation until the lock is removed. For more information, see Understanding Policy Locking, page 5-7.


Navigation Path

(Device View) Open the Remote Access VPN Configuration Wizardfor configuring a remote access IPSec VPN and click Next until you reach this page.

Related Topics

Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices), page 26-14

Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 26-11

Field Reference

Table 27-13 Defaults Page 

Element
Description

ASA Cluster Load Balance

Defines load balancing for an ASA device in your remote access VPN.

High Availability

Defines a High Availability (HA) policy on a Cisco IOS router in a remote access VPN.

Certificate to Connection Profile Map Policy

Defines the connection profile for your remote access VPN.

IKE Proposal

Defines the set of algorithms that two peers use to secure the IKE negotiation between them.

IPSec Proposal

Defines the crypto maps required to set up IPsec security associations (SAs), including IPsec rules, transform sets, remote peers, and other parameters that might be necessary to define an IPsec SA.

Public Key Infrastructure

Defines the Public Key Infrastructure (PKI) policy used to generate PKI enrollment requests for PKI certificates and RSA keys.

VPN Global Settings

Defines global settings for IKE, IPsec, NAT, and fragmentation that apply to devices in your remote access VPN.


ASA Cluster Load Balance Page

Use the ASA Cluster Load Balance page to enable load balancing for an ASA device in your remote access VPN.


Note Load balancing requires an active 3DES/AES license. The ASA device checks for the existence of this crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the device prevents load balancing, and also prevents internal configuration of 3DES by the load balancing system.


Navigation Path

(Device View) Select an ASA device; then select Remote Access VPN > ASA Cluster Load Balance from the Policy selector.

(Policy View) Select Remote Access VPN > ASA Cluster Load Balance from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

Understanding Cluster Load Balancing (ASA), page 26-16

Configuring Cluster Load Balance Policies (ASA), page 26-17

Creating Interface Role Objects, page 6-56

Field Reference

Table 27-14 ASA Cluster Load Balance Page 

Element
Description
VPN Load Balancing

Participate in Load Balancing Cluster

Select to specify that the device belongs to the load-balancing cluster.

VPN Cluster Configuration

Cluster IP Address

The single IP address that represents the entire virtual cluster. The IP address should be in the same subnet as the external interface.

UDP Port

The UDP port for the virtual cluster in which the device is participating. If another application is using this port, enter the UDP destination port number that you want to use for load balancing.

The default is 9023.

Enable IPsec Encryption

Select this check box to ensure that all load-balancing information communicated between the devices is encrypted.

When the check box is selected, you must also specify and verify a shared secret. The security appliances in the virtual cluster communicate via LAN-to-LAN tunnels using IPsec.

IPsec Shared Secret

The shared secret to be communicated between IPsec peers if you enabled IPsec encryption. This can be a case-sensitive value between 4 and 16 characters, without spaces.

Priority

Accept default device value

When selected (the default), accepts the default priority value assigned to the device.

Configure same priority on all devices in the cluster

When selected, enables you to configure the same priority value to all the devices in the cluster. The priority indicates the likelihood of this device becoming the virtual cluster master, either at startup or when the existing master fails.

Enter a value between 1 and 10.

VPN Server Configuration

Public interfaces

The public interfaces to be used on the server.

Interfaces are predefined objects. You can click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects.

Private Interfaces

The private interfaces to be used on the server.

Interfaces are predefined objects. You can click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects.

Send FQDN to client instead of an IP address when redirecting

When selected, enables redirection using a FQDN on an ASA device configured with load balancing. For more information, see Understanding Cluster Load Balancing (ASA), page 26-16.

This check box is available only for ASA devices running 8.0.2 or later.


Connection Profiles Page

Use the Connection Profiles page to manage connection profile policies for remote access VPN or Easy VPN topologies. Use of this policy differs depending on the type of VPN you are configuring:

Remote access SSL VPN—The policy is used only for ASA devices. You can create multiple profiles, and configure settings on all tabs of the Connection Profiles dialog box.

Remote access IPSec VPN—The policy is used for ASA devices and PIX Firewalls running PIX 7.0+ software. You can create multiple profiles, but only the General, AAA, and IPSec tabs on the Connection Profiles dialog box apply to this configuration (in some cases, you will see only these tabs).

Easy VPN topologies—The policy is used for Easy VPN servers (hubs) that are ASA devices or PIX Firewalls running PIX 7.0+ software. You can create a single profile, so the policy page actually imbeds the Connection Profiles dialog box, so that you have direct access to the tabs that define the profile. Only the General, AAA, and IPSec tabs apply.

For remote access IPSec and SSL VPNs:

To add a profile, click the Add Row button and fill in the Connection Profiles dialog box.

To edit an existing profile, select it and click the Edit Row button.

To delete a profile, select it and click the Delete Row button.

The connection profile consists of the following tabs. Configure them as appropriate for the type of VPN you are configuring.

General Tab (Connection Profiles)

AAA Tab (Connection Profiles)

Secondary AAA Tab (Connection Profiles) (SSL VPN only)

IPSec Tab (Connection Profiles)

SSL Tab (Connection Profiles) (SSL VPN only)

Navigation Path

Remote access VPNs:

(Device View) Select a ASA or PIX 7+ device and select Remote Access VPN > Connection Profiles from the Policy selector.

(Policy View) Select Remote Access VPN > Connection Profiles (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Easy VPN:

From the Site-to-Site VPN Manager Window, page 21-17, select the Easy VPN topology and then select Connection Profiles (PIX7.0/ASA).

(Device view) Select a device that participates in the Easy VPN topology and select Site to Site VPN from the Policy selector. Select the Easy VPN topology and click Edit VPN Policies to open the Site-to-Site VPN Manager Window, page 21-17, where you can select the policy.

(Policy view) Select Site-to-Site VPN > Connection Profiles (PIX7.0/ASA). Select an existing policy or create a new one.

This section contains the following topics:

General Tab (Connection Profiles)

AAA Tab (Connection Profiles)

Secondary AAA Tab (Connection Profiles)

IPSec Tab (Connection Profiles)

SSL Tab (Connection Profiles)

General Tab (Connection Profiles)

Use the General tab of the Connection Profiles dialog box to configure the basic properties for a VPN Connection Profile policy.

Navigation Path

From the Connection Profiles Page, click the Add button or select an entry and click the Edit button. For Easy VPN topologies, simply select the policy. Click the General tab if necessary.

Related Topics

Configuring Connection Profiles (ASA), page 26-18

ASA Group Policies Dialog Box, page 28-1

Understanding Network/Host Objects, page 6-62

Configuring a Connection Profile Policy for Easy VPN, page 24-11

Understanding Easy VPN, page 24-1

Field Reference

Table 27-15 Connection Profile General Tab 

Element
Description

Connection Profile Name

The name of the tunnel group that contains the policies for this connection profile.

Group Policy

If required, the name of the ASA group policy object that defines the default user group associated with the connection profile. A group policy is a collection of user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS/LDAP server.

Click Select to select an existing object or to create a new one.

Client Address Assignment

DHCP Servers

The DHCP servers to be used for client address assignments. The servers are used in the order listed.

Enter the IP addresses of the DHCP servers or the names of network/host policy objects that define the DHCP server addresses. Click Select to select existing network/host objects or to create new ones. Separate multiple entries with commas.

Global IP Address Pool

The address pools from which IP addresses will be assigned to clients if no pool is specified for the interface to which the client connects. Address pools are typically entered as a range of addresses, such as 10.100.12.2-10.100.12.254. The server uses these pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You can specify up to 6 pools.

Enter the address pool ranges or the names of network/host objects that define these pools. Click Select to select existing network/host objects or to create new ones. Separate multiple entries with commas. Separate multiple entries with commas.

Interface-Specific Address Pools table

If you want to configure separate IP address pools for specific interfaces, so that clients connecting through that interface use a pool different from the global pool, add the interface to this table and configure the separate pool. Any interface not listed here uses the global pool.

To add an interface-specific address pool, click the Add Row button and fill in the Add/Edit Interface Specific Client Address Pools Dialog Box

To edit an interface pool, select it and click the Edit Row button.

To delete an interface, select it and click the Delete Row button.


Add/Edit Interface Specific Client Address Pools Dialog Box

Use the Add/Edit Interface Specific Client Address Pools dialog box to configure interface-specific client address pools for your connection profile policy.

Navigation Path

Open the General Tab (Connection Profiles), then click Add Row below the Interface-Specific Address Pools table, or select a row in the table and click Edit Row.

Related Topics

Creating Interface Role Objects, page 6-56

Creating Network/Host Objects, page 6-64

Field Reference

Table 27-16 Add/Edit Interface Specific Client Address Pools Dialog Box 

Element
Description

Interface

The interface to assign a client address to.

You can click Select to open a dialog box that lists all available interfaces and interface roles, from which you can make your selection or create interface role objects.

Address Pool

The address pool to be used to assign a client address to the selected interface.

Address pools are predefined network objects. You can click Select to open a dialog box that lists all available network hosts, and in which you can create or edit network host objects.


AAA Tab (Connection Profiles)

Use the AAA tab of the Connection Profile dialog box to configure the AAA authentication parameters for a connection profile policy.

Navigation Path

From the Connection Profiles Page, click the Add button or select an entry and click the Edit button; then select the AAA tab. For Easy VPN topologies, simply click the AAA tab.

Related Topics

Configuring Connection Profiles (ASA), page 26-18

Understanding AAA Server and Server Group Objects, page 6-20

Configuring a Connection Profile Policy for Easy VPN, page 24-11

Understanding Easy VPN, page 24-1

Field Reference

Table 27-17 Connection Profile AAA Tab 

Element
Description

Authentication Method

Whether to authenticate connections using AAA, certificates, or both. If you select Certificate, many of the options on the dialog box are greyed out and do not apply.

Authentication Server Group

The name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Enter the name of a AAA server group object or click Select to select it from a list or to create a new object.

If you want to use different authentication server groups based on the interface to which the client connects, configure the server groups in the Interface-Specific Authentication Server Groups table at the bottom of this tab (described below).

Use LOCAL if Server Group Fails

Whether to fall back to the local database for authentication if the selected authentication server group fails.

Authorization Server Group

The name of the authorization server group (LOCAL if the tunnel group is configured on the local device). Enter the name of a AAA server group object or click Select to select it from a list or to create a new object.

Users must exist in the authorization database to connect

Whether to require that the username of the client must exist in the authorization database to allow a successful connection. If the username does not exist in the authorization database, then the connection is denied.

Accounting Server Group

Name of the accounting server group. Enter the name of a AAA server group object or click Select to select it from a list or to create a new object.

Strip Realm from Username

Strip Group from Username

Whether to remove the realm or group name from the username before passing the username on to the AAA server. A realm is an administrative domain. Enabling these options allows the authentication to be based on the username alone.

You can enable any combination of these options. However, you must select both check boxes if your server cannot parse delimiters.

Override Account-Disabled Indication from AAA Server

Whether to override the "account-disabled" indicator from a AAA server. This configuration is valid for servers, such as RADIUS with NT LDAP, and Kerberos, that return an "account-disabled" indication.

If you are using an LDAP directory server for authentication, password management is supported with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and the Microsoft Active Directory.

Sun—The DN configured on the security appliance to access a Sun directory server must be able to access the default password policy on that server. We recommend using the directory administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the default password policy.

Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active Directory.

Enable Notification Upon Password Expiration to Allow User to Change Password

Enable Notification Prior to Expiration

Notify Prior to Expiration

Whether to have the security appliance notify the remote user at login that the current password is about to expire or has expired, and to then offer the user the opportunity to change the password.

If you want to give the user prior warning of an impending password expiration, select Enable Notification Prior to Expiration and specify the number of days prior to expiration that you want to start notifications (1 to 180 days). You can use this option with AAA servers that support such notification—RADIUS, RADIUS with an NT server, and LDAP servers. There is no prior notification for other types of servers.

Distinguished Name (DN) Authorization Setting

How you want to use the distinguished name for authorization. A distinguished name (DN) is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a tunnel group. DN rules are used for enhanced certificate authentication. Select from the following options to determine how the DN is used during authorization:

Use Entire DN as the Username—Use the entire DN; do not focus on any one field.

Specify Individual DN fields as the Username—Focus on specific fields. Select a primary field, and optionally, a secondary field. The default is to use only the user identification (UID) field.

Interface-Specific Authentication Server Groups table

If you want to configure separate authentication server groups for specific interfaces, so that clients connecting through that interface use a server group different from the global group, add the interface to this table and configure the separate group. Any interface not listed here uses the global authentication server group. The table shows the server group and whether you are falling back to local authentication if the server group is not available.

To add an interface-specific authentication group to the list, click the Add Row button and fill in the Add/Edit Interface Specific Authentication Server Groups Dialog Box.

To edit an interface setting, select it and click the Edit Row button.

To delete an interface setting, select it and click the Delete Row button.


Add/Edit Interface Specific Authentication Server Groups Dialog Box

Use the Add/Edit Interface Specific Authentication Server Groups dialog boxes to configure interface-specific authentication for your connection profile policy. This setting overrides the global authentication server group settings if the client connects to the specified interface.

If you are configuring the secondary AAA server for an SSL VPN on an ASA device, the settings are specifically used for the secondary set of credentials that the user enters; this is reflected in the name of the dialog box.

Navigation Path

Open the AAA Tab (Connection Profiles) or the Secondary AAA Tab (Connection Profiles), then click Add Row below the (Secondary) Interface Specific Authentication Server Groups table, or select a row in the table and click Edit Row.

Related Topics

Configuring Connection Profiles (ASA), page 26-18

Understanding Interface Role Objects, page 6-55

Understanding AAA Server and Server Group Objects, page 6-20

Field Reference

Table 27-18 Add/Edit (Secondary) Interface Specific Authentication Server Groups 

Element
Description

Interface

The name of the interface or interface role (that identifies the interfaces) for which you are configuring an authentication server group. Click Select to select an interface or interface role or to create a new interface role.

Server Group

The name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Enter the name of a AAA server group object or click Select to select it from a list or to create a new object.

When you are configuring secondary AAA, this group is used specifically for the second credentials. You can specify different server groups for primary and secondary credentials.

Use LOCAL if Server Group Fails

Whether to fall back to the local database for authentication if the selected authentication server group fails.

Use Primary Username

(Secondary authentication only; SSL VPN on ASA 8.2+ only.)

Whether to use the same username for the secondary credentials that was used for the primary credentials. If you select this option, after users authenticate with their primary credentials, they are prompted for the secondary password only. If you do not select this option, the secondary prompt requires both a username and password.


Secondary AAA Tab (Connection Profiles)

Use the Secondary AAA tab to configure the secondary AAA authentication parameters for an SSL VPN connection profile policy for use with ASA 8.2+ devices. These settings do not apply to remote access IPSec VPNs or Easy VPN topologies or to other device types.

Navigation Path

From the Connection Profiles Page, click the Add button or select an entry and click the Edit button; then select the Secondary AAA tab.

Related Topics

Configuring Connection Profiles (ASA), page 26-18

Field Reference

Table 27-19 Connection Profile Secondary AAA Tab 

Element
Description

Enable Double Authentication

Whether to enable double authentication, which prompts the user for two sets of credentials (username and password) before completing the SSL VPN connection.

Secondary Authentication Server Group

The name of the authentication server group (LOCAL if the tunnel group is configured on the local device) to be used with the second set of credentials. Enter the name of a AAA server group object or click Select to select it from a list or to create a new object.

If you want to use different authentication server groups based on the interface to which the client connects, configure the server groups in the Secondary Interface-Specific Authentication Server Groups table at the bottom of this tab (described below).

Use LOCAL if Server Group Fails

Whether to fall back to the local database for authentication if the selected authentication server group fails.

Use Primary Username for Secondary Authentication

Whether to use the same username for the secondary credentials that was used for the primary credentials. If you select this option, after users authenticate with their primary credentials, they are prompted for the secondary password only. If you do not select this option, the secondary prompt requires both a username and password.

Username for Session

The username that the software will use for the user session, either the primary or secondary name. If you prompt for the primary name only, select primary.

Note By default, if there is more than one username, AnyConnect remembers both usernames between sessions. In addition, the head-end device might offer a feature to allow for administrative control over whether the client remembers both or neither usernames.

Authorization Authentication Server

The server to use for authorization, either the primary authentication server (defined on the AAA tab) or the secondary authentication server configured on this tab.

Distinguished Name (DN) Secondary Authorization Setting

How you want to use the distinguished name for authorization. A distinguished name (DN) is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a tunnel group. DN rules are used for enhanced certificate authentication. Select from the following options to determine how the DN is used during authorization:

Use Entire DN as the Username—Use the entire DN; do not focus on any one field.

Specify Individual DN fields as the Username—Focus on specific fields. Select a primary field, and optionally, a secondary field. The default is to use only the user identification (UID) field.

Secondary Interface-Specific Authentication Server Groups table

If you want to configure separate secondary authentication server groups for specific interfaces, so that clients connecting through that interface use a server group different from the global group, add the interface to this table and configure the separate group. Any interface not listed here uses the global authentication server group. The table shows the server group and whether you are falling back to local authentication if the server group is not available.

To add a secondary interface-specific authentication group to the list, click the Add Row button and fill in the Add/Edit Interface Specific Authentication Server Groups Dialog Box.

To edit an interface setting, select it and click the Edit Row button.

To delete an interface setting, select it and click the Delete Row button.


IPSec Tab (Connection Profiles)

Use the IPsec tab of the Connection Profiles page to specify IPsec and IKE parameters for the connection policy.

Navigation Path

From the Connection Profiles Page, click the Add Row button or select an entry and click the Edit Row button; then select the IPSec tab. For Easy VPN topologies, simply click the IPSec tab.

Related Topics

Configuring Connection Profiles (ASA), page 26-18

Configuring a Connection Profile Policy for Easy VPN, page 24-11

Understanding Easy VPN, page 24-1

Field Reference

Table 27-20 Connection Profiles IPsec Tab 

Element
Description

Preshared Key

The value of the preshared key for the connection profile. The maximum length of a preshared key is 127 characters. Enter the key again in the Confirm field.

Trustpoint Name

The name of the PKI enrollment policy object that defines the trustpoint name if any trustpoints are configured. A trustpoint represents a Certificate Authority (CA)/identity pair and contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate.

Click Select to select the object from a list or to create a new object.

IKE Peer ID Validation

Select whether IKE peer ID validation is ignored (Do not check), required, or checked only if supported by a certificate. During IKE negotiations, peers must identify themselves to one another.

Enable Sending Certificate Chain

Whether to enable the sending of the certificate chain for authorization. A certificate chain includes the root CA certificate, identity certificate, and key pair.

Enable Password Update with RADIUS Authentication

Whether to enable passwords to be updated with the RADIUS authentication protocol. For more information, see Supported AAA Server Types, page 6-21.

ISAKMP Keepalive

Whether to monitor ISAKMP keepalive. If you select the Monitor Keepalive option, you can configure IKE keepalive as the default failover and routing mechanism. Enter the following parameters:

Confidence Interval—The number of seconds that a device waits between sending IKE keepalive packets.

Retry Interval—The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds.

For more information, see Understanding ISAKMP/IPsec Settings, page 22-13.

Client Software Update table

The VPN client revision level and URLs for client platforms. You can configure different revision levels for All Windows Platforms, Windows 95/98/ME, Windows NT4.0/2000/XP, or the VPN3002 Hardware Client.

To configure the client for a platform, select it, click the Edit Row button, and fill in the IPSec Client Software Update Dialog Box.


IPSec Client Software Update Dialog Box

Use the IPsec Client Software Update dialog box to configure the specific revision level and image URL of a VPN client.

Navigation Path

From the IPSec Tab (Connection Profiles), select a client type in the Client Software Update table and click Edit.

Related Topics

Connection Profiles Page

Configuring Connection Profiles (ASA), page 26-18

Field Reference

Table 27-21 IPSec Client Software Update Dialog Box 

Element
Description

Client Type

Type of client being modified.

Client Revisions

Revision level of the client.

Image URL

URL of the client software image.


SSL Tab (Connection Profiles)

Use the SSL tab of the Connection Profile dialog box to configure the WINS servers for the connection profile policy, select a customized look and feel for the SSL VPN end-user logon web page, DHCP servers to be used for client address assignment, and to establish an association between an interface and client IP address pools. These settings do not apply to remote access IPSec VPNs or Easy VPN topologies.

Navigation Path

From the Connection Profiles Page, click the Add button or select an entry and click the Edit button; then select the SSL tab.

Related Topics

Configuring Connection Profiles (ASA), page 26-18

Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL VPNs, page 26-73

Understanding Network/Host Objects, page 6-62

Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63

Field Reference

Table 27-22 Connection Profile SSL Tab 

Element
Description

WINS Servers List

The name of the WINS (Windows Internet Naming Server) servers list to use for CIFS name resolution.

SSL VPN uses the CIFS protocol to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server you specify corresponds to a specific WINS server name that identifies a resource on the network.

A WINS servers list defines a list of WINS servers, which are used to translate Windows file server names to IP addresses. The security appliance queries the WINS servers to map WINS names to IP addresses. You must configure at least one, and up to three WINS servers for redundancy. The security appliance uses the first server on the list for WINS/CIFS name resolution. If the query fails, it uses the next server.

WINS server lists are predefined objects. If you want to use a different WINS servers list, click Select to open the WINS Server List Selector dialog box that lists all available WINS Servers list objects, and in which you can create WINS Servers list objects.

DNS Group

The DNS group to use for the SSL VPN tunnel group. The DNS group resolves the hostname to the appropriate DNS server for the tunnel group.

Portal Page Customization

Specify the default SSL VPN customization profile in the field provided. This profile defines the appearance of the portal page that allows the remote user access to all resources available on the SSL VPN networks.

Note You can set up different login windows for different groups by using a combination of customization profiles and groups. For example, assuming that you had created a customization profile called salesgui, you can create an SSL VPN group called sales that uses that customization profile. You specify the group in the General tab on the Customization Profiles dialog box.

Customization profiles are predefined objects. You can click Select to open the SSL VPN Customization Selector dialog box, from which you can make your selection or create new customization objects.

Override SVC Download

Click this check box if you want clientless users logging in under specific tunnel groups to not have to wait for the download prompt to expire before being presented with the clientless SSL VPN home page. Instead, these users are immediately presented with the clientless SSL VPN home page.

Reject Radius Message

Click this check box if you want to display to remote users a RADIUS message about their authentication failure.

Connection Aliases

Alias

The alternate name by which the tunnel group is referred to.

A group alias creates one or more alternate names by which a user can refer to a tunnel group. This feature is useful when the same group is known by several common names (such as "Devtest" and "QA"). If you want the actual name of the tunnel group to appear on this list, you must specify it as an alias. The group alias that you specify here appears on the login page. Each tunnel group can have multiple aliases or no alias.

For more information, see Understanding Connection Profiles (ASA), page 26-18.

Status

Specifies whether a group alias is enabled or not.

If enabled, the group alias appears in a list during login.

Create button

Opens the Add/Edit Connection Alias Dialog Box for creating a group alias.

Edit button

Opens the Add/Edit Connection Alias Dialog Box for editing the settings of a selected group alias in the table.

Delete button

Deleted one or more group aliases that are selected in the table.

Group URLs

URL

The URL associated with the tunnel group connection profile.

You can configure multiple URLs (or no URLs) for a tunnel group. Each URL can be enabled or disabled individually. You must use a separate specification for each URL, specifying the entire URL using either the HTTP or HTTPS protocol.

For more information, see Understanding Connection Profiles (ASA), page 26-18.

Status

Specifies whether a group URL is enabled or not. If enabled, it eliminates the need to select a group during login.

Create button

Click to open the Add Group URL dialog box for creating a group URL. See Add/Edit Connection URL Dialog Box.

Edit button

Select a group URL in the table, then click to open the Edit Group URL dialog box to edit its settings. See Add/Edit Connection URL Dialog Box.

Delete button

Select the rows of one or more group URLs, then click to remove from the list.


Add/Edit Connection Alias Dialog Box

Use the Add/Edit Connection Alias dialog box to create or edit a connection alias for an SSL VPN connection profile. Specifying the connection alias creates one or more alternate names by which the user can refer to a tunnel group.

Navigation Path

Open the SSL Tab (Connection Profiles), then click Create below the Connection Aliases table, or select a row in the table and click Edit.

Related Topics

Connection Profiles Page

Configuring Connection Profiles (ASA), page 26-18

Field Reference

Table 27-23 Add/Edit Connection Profile > Add/Edit Connection Alias Dialog Box 

Element
Description

Enabled

Indicates whether the connection alias is enabled or not.

Connection Alias

An alternative name for the connection profile.

The connection alias that you specify here appears in a list on the user's login page. Each group can have multiple aliases or no alias, each specified in separate commands.


Add/Edit Connection URL Dialog Box

Use this dialog box to specify incoming URLs or IP addresses for the tunnel group. If a connection URL is enabled in a tunnel group, the security appliance selects the associated tunnel group and presents the user with only the username and password fields in the login window.


Note You can configure multiple URLs or addresses (or none) for a group. Each URL or address can be enabled or disabled individually.

You cannot associate the same URL or address with multiple groups. The security appliance verifies the uniqueness of the URL or address before accepting the URL or address for a tunnel group.


Navigation Path

Open the SSL Tab (Connection Profiles), then click Create below the Group URLs table, or select a row in the table and click Edit.

Related Topics

Connection Profiles Page

Configuring Connection Profiles (ASA), page 26-18

Field Reference

Table 27-24 Add/Edit Connection URL Dialog Box 

Element
Description

Enabled

Indicates whether the connection URL is enabled or not.

Connection URL

Select a protocol (http or https) from the list, and specify the incoming URL for the connection in the field provided.


Dynamic Access Page (ASA)

Use the Dynamic Access page to view the dynamic access policies (DAP) defined on the security appliance. From this page, you can create, edit, or delete DAPs.

Use the Cisco Secure Desktop section to enable and download the Cisco Secure Desktop (CSD) software on the selected ASA device. Cisco Secure Desktop provides a single, secure location for session activity and removal on the client system, ensuring that sensitive data is shared only for the duration of an SSL VPN session.


Note The CSD client software must be installed and activated on a device in order for an SSL VPN policy to work properly.



Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic Access policy, an ASA device checks for Group policies that specify the setting.


Navigation Path

(Device View) Select an ASA device; then select Remote Access VPN > Dynamic Access (ASA) from the Policy selector.

(Policy View) Select Remote Access VPN > Dynamic Access (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

Understanding Dynamic Access Policies, page 26-19

Configuring Dynamic Access Policies, page 26-20

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Cisco Secure Desktop Policies on ASA Devices, page 26-26

Field Reference

Table 27-25 Dynamic Access Policy Page (ASA) 

Element
Description

Priority

Priority of the configured dynamic access policy record.

Name

Name of the configured dynamic access policy record.

Network ACL

Name of the firewall ACL that applies to the session.

WebType ACL

Name of the WebType VPN ACL that applies to the session.

Port Forwarding

Name of the port forwarding list that applies to the session.

Bookmark

Name of the SSL VPN Bookmark object that applies to the session.

Terminate

Indicates whether the session is terminated or not.

Description

Additional information about the configured dynamic access policy.

Create button

Click this button to create a dynamic access policy. See Add/Edit Dynamic Access Policy Dialog Box.

Edit button

Click this button to edit the selected dynamic access policy. See Add/Edit Dynamic Access Policy Dialog Box.

Delete button

Click this button to delete the selected dynamic access policies.

Cisco Secure Desktop

For the procedure to configure CSD on an ASA device, see Configuring Cisco Secure Desktop Policies on ASA Devices, page 26-26.

Enable

When selected, enables the CSD on the device. Enabling CSD loads the specified Cisco Secure Desktop package. If you transfer or replace the CSD package file, disable and then enable CSD to load the file.

Package

Version

Specify the name of the File Object that identifies the Cisco Secure Desktop package you want to upload to the device.

Click Select to select an existing File Object or to create a new one. For more information, see Add and Edit File Object Dialog Boxes, page 28-24.

Note The package version must be compatible with the ASA operating system version. When you create a local policy in Device view, the Version field indicates the CSD package version you should select. (The version is included in the package file name. For example, securedesktop-asa_k9-3.3.0.118.pkg is CSD version 3.3.0.118.) When you create a shared policy in Policy view, the Version field indicates the version of the CSD file you selected. For more information on version compatibility, see Understanding and Managing SSL VPN Support Files, page 26-5.

Configure

Click Configure to open the Cisco Secure Desktop Manager (CSDM) Policy Editor that lets you configure CSD on the security appliance. For a description of the elements in this dialog box, see Cisco Secure Desktop Manager Policy Editor Dialog Box.


Add/Edit Dynamic Access Policy Dialog Box

Use the Add/Edit Dynamic Access Policy dialog box to configure the dynamic access policies (DAP) on your security appliance. You can specify a name for the dynamic access policy that you are adding, select the priority, specify attributes in a LUA expression, and set attributes for network and webtype ACL filters, file access, HTTP proxy, URL entry and lists, port forwarding, and clientless SSL VPN access methods.


Note For detailed information about dynamic access policy attributes, see Understanding DAP Attributes, page 26-22


These tabs are available in the Add/Edit Dynamic Access Policy dialog box:

Main Tab

Logical Operators Tab

Advanced Expressions Tab

Navigation Path

Open the Dynamic Access Page (ASA), then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit Dynamic Access Policy dialog box is displayed.

Related Topics

Understanding Dynamic Access Policies, page 26-19

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-26 Add/Edit Dynamic Access Policy Dialog Box 

Element
Description

Name

The name of the dynamic access policy record (up to 128 characters).

Priority

A priority for the dynamic access policy record. The security appliance applies access policies in the order you set here, highest number having the highest priority. In the case of dynamic access policy records with the same priority setting and conflicting ACL rules, the most restrictive rule applies.

Description

Additional information about the dynamic access policy record (up to 1024 characters).

Main tab

Enables you to add a dynamic access policy entry and set attributes for the access policy depending on the type of remote access that you configure.

For a description of the elements on this tab, see Main Tab.

Logical Operators tab

Enables you to create multiple instances of each type of endpoint attribute.

For a description of the elements on this tab, see Logical Operators Tab.

Advanced Expressions tab

Enables you to configure one or more logical expressions to set AAA or endpoint attributes other than what is possible in the AAA and Endpoint areas.

For a description of the elements on this tab, see Advanced Expressions Tab.


Main Tab

Use the Main tab of the Add/Edit Dynamic Access Policy dialog box to configure the dynamic access policy attributes and the type of remote access method supported your security appliance. You can set attributes for network and webtype ACL filters, file access, HTTP proxy, URL entry and lists, port forwarding, and clientless SSL VPN access methods.

Navigation Path

The Main tab appears when you open the Add/Edit Dynamic Access Policy Dialog Box.

Related Topics

Configuring Dynamic Access Policies, page 26-20

Configuring DAP Attributes, page 26-25

Field Reference

Table 27-27 Add/Edit Dynamic Access Policy Dialog Box > Main Tab 

Element
Description

Criteria ID

The AAA and endpoint selection attribute names that are available for dynamic access policy use.

Content

Values of the AAA and endpoint attributes criteria that the security appliance uses for selecting and applying a dynamic access policy record during session establishment. Attribute values that you configure here override authorization values in the AAA system, including those in existing group policy, tunnel group, and default group records.

Create button

Click this button to configure AAA and endpoint attributes as selection criteria for the DAP record. See Add/Edit DAP Entry Dialog Box.

Edit button

Click this button to edit the selected dynamic access policy. See Add/Edit DAP Entry Dialog Box.

Delete button

Click this button to delete the selected dynamic access policies.

Access Method

Specify the type of remote access permitted:

Unchanged—Continue with the current remote access method.

AnyConnect Client—Connect using the Cisco AnyConnect VPN Client.

Web Portal—Connect with clientless VPN.

Both default Web Portal—Connect via either clientless or the AnyConnect client, with a default of clientless.

Both default AnyConnect Client—Connect via either clientless or the AnyConnect client, with a default of AnyConnect.

Network ACL tab—Lets you select and configure network ACLs to apply to this dynamic access policy. An ACL for a dynamic access policy can contain permit or deny rules, but not both. If an ACL contains both permit and deny rules, the security appliance rejects it.

Network ACL

Lists the Access Control Lists (ACLs) that will be used to restrict user access to the SSL†VPN.

Click the Select button to open the Access Control Lists Selector from which you can make your selection. The ACL contains conditions that describe a traffic stream of packets, and actions that describe what should occur based on those conditions. Only ACLs having all permit or all deny rules are eligible.

WebType ACL tab—Lets you select and configure web-type ACLs to apply to this dynamic access policy. An ACL for a dynamic access policy can contain only permit or deny rules. If an ACL contains both permit and deny rules, the security appliance rejects it.

Web Type ACL

Specifies the WebType access control list that will be used to restrict user access to the SSL†VPN.

Click the Select button to open the Access Control Lists Selector from which you can make your selection. Only ACLs having all permit or all deny rules are eligible.

Functions tab—Lets you configure file server entry and browsing, HTTP proxy, and URL entry for the dynamic access policy.

File Server Browser

Specify the file server browsing setting to be configured on the portal page:

Unchanged—Uses values from the group policy that applies to this session.

Enable—Enables CIFS browsing for file servers or shared features.

Disable—Disables CIFS browsing for file servers or shared features.

Note Browsing requires NBNS (Master Browser or WINS). If that fails or is not configured, we use DNS.

The CIFS browse feature does not support internationalization.

File Server Entry

Specify the file server entry setting to be configured on the portal page:

Unchanged—Uses values from the group policy that applies to this session.

Enable—Enables a user from entering file server paths and names on the portal page.

When enabled, places the file server entry drawer on the portal page. Users can enter pathnames to Windows files directly. They can download, edit, delete, rename, and move files. They can also add files and folders. Shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements.

Disable—Disables a user from entering file server paths and names on the portal page.

HTTP Proxy

Specify how you want to configure the security appliance to terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers:

Unchanged—Uses values from the group policy that applies to this session.

Enable—Allows the forwarding of an HTTP applet proxy to the client.

The proxy is useful for technologies that interfere with proper content transformation, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser's old proxy configuration and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft Internet Explorer.

Disable—Disables the forwarding of an HTTP applet proxy to the client.

Auto-start—Enables HTTP proxy and to have the DAP record automatically start the applets associated with these features.

URL Entry

Using SSL VPN does not ensure that communication with every site is secure. SSL VPN ensures the security of data transmission between the remote user's PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured.

In a clientless VPN connection, the security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore cannot examine and validate the certificate. The current implementation of SSL VPN does not permit communication with sites that present expired certificates. Neither does the security appliance perform trusted CA certificate validation. Therefore, users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it.

Specify how the URL entry setting must be configured on the portal page:

Unchanged—Uses values from the group policy that applies to this session.

Enable—Allows a user from entering HTTP/HTTPS URLs on the portal page. If this feature is enabled, users can enter web addresses in the URL entry box, and use clientless SSL VPN to access those websites.

Disable—Disables a user from entering HTTP/HTTPS URLs on the portal page.

Note To limit Internet access for users, select Disable for the URL Entry field. This prevents SSL VPN users from surfing the Web during a clientless VPN connection.

Port Forwarding tab—Lets you select and configure port forwarding lists for user sessions.

Note Port Forwarding does not work with some SSL/TLS versions.


Caution Make sure Sun Microsystems Java Runtime Environment (JRE) 1.4+ is installed on the remote computers to support port forwarding (application access) and digital certificates.

Port Forwarding

Select an option for the port forwarding lists that apply to this DAP record:

Unchanged—Removes the attributes from the running configuration.

Enable—Enables port forwarding on the device.

Disable—Disables port forwarding on the device.

Auto-start—Enables port forwarding, and to have the DAP record automatically start the port forwarding applets associated with its port forwarding lists.

Port Forwarding List

The Port Forwarding List, that defines the mapping of the port number on the client machine to the application's IP address and port behind the SSL VPN gateway.

You can click Select to open the Port Forwarding List Selector from which you can select the required Port Forwarding List from a list of Port Forwarding List objects. A Port Forwarding List object defines the mappings of port numbers on the remote client to the application's IP address and port behind the SSL VPN gateway.

Bookmark tab—Lets you enable and configure SSL VPN bookmarks. When enabled, users who successfully log into the SSL VPN are presented with the portal page containing the list of defined bookmarks. These bookmarks enable users to access resources available on SSL VPN websites in Clientless access mode.

Enable Bookmarks

When selected, enables bookmarks on the SSL VPN portal page.

Bookmarks

A list of websites that will be displayed on the portal page as a bookmark to enable users to access the resources available on the SSL VPN websites.

You can click Select to open the Bookmarks Selector from which you can select the required bookmark from a list or create a new bookmark, as desired.

Action tab—Specifies special processing to apply to a specific connection or session.

Terminate

When selected, terminates the session. By default, the access policy attributes are applied to the session and it is running.

User Message

Enter a text message to display on the portal page when this DAP record is selected. Maximum 128 characters. A user message displays as a yellow orb. When a user logs on it blinks three times to attract attention, and then it is still. If several DAP records are selected, and each of them has a user message, all user messages display.

Note You can include in such messages URLs or other embedded text, which require that you use the correct HTML tags.

For example: All contractors please read <a href=`http://wwwin.abc.com/procedure.html'> Instructions</a> for the procedure to upgrade your antivirus software.


Add/Edit DAP Entry Dialog Box

Use the Add/Edit DAP Entry dialog box to specify the authorization attributes and endpoint attributes for a dynamic access policy. The security appliance selects the dynamic access policy based on the endpoint security information of the remote device and the AAA authorization information for the authenticated user. It then applies the dynamic access policy to the user tunnel or session.


Note For detailed information about dynamic access policy attributes, see Understanding DAP Attributes, page 26-22



Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-28 Add/Edit DAP Entry Dialog Box 

Element
Description

Criterion

Select the authorization or endpoint attribute from the list. It serves as the selection criterion that the security appliance uses for selecting and applying dynamic access policies during session establishment.

AAA Attributes Cisco—Refers to user authorization attributes that are stored in the AAA hierarchical model. See Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco

AAA Attributes LDAP—Sets the LDAP client stores all native LDAP response attribute value pairs in a database associated with the AAA session for the user. See Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP.

AAA Attributes RADIUS—Sets the RADIUS client stores all native RADIUS response attribute value pairs in a database associated with the AAA session for the user. See Add/Edit DAP Entry Dialog Box > AAA Attributes RADIUS.

Anti-Spyware—Creates an endpoint attribute of type Anti-Spyware. You can use the Host Scan modules of Cisco Secure Desktop to scan for antispyware applications and updates that are running on the remote computer. See Add/Edit DAP Entry Dialog Box > Anti-Spyware.

Anti-Virus—Creates an endpoint attribute of type Anti-Virus. You can use the Host Scan modules of Cisco Secure Desktop to scan for antivirus applications and updates that are running on the remote computer. See Add/Edit DAP Entry Dialog Box > Anti-Virus.

Application—Indicates the type of remote access connection. See Add/Edit DAP Entry Dialog Box > Application.

File—Creates an endpoint attribute of type File. Filename checking to be performed by Basic Host Scan must be explicitly configured using Cisco Secure Desktop Manager. See Add/Edit DAP Entry Dialog Box > File.

NAC—Creates an endpoint attribute of type NAC. NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue applications by performing endpoint compliancy. We refer to these checks as posture†validation. See Add/Edit DAP Entry Dialog Box > NAC.

Operating System—Creates an endpoint attribute of type Operating System. The prelogin assessment module of the CSD can check the remote device for the OS version, IP address, and Microsoft Windows registry keys. See Add/Edit DAP Entry Dialog Box > Operating System.

Criterion (cont.)

Personal Firewall—Creates an endpoint attribute of type Personal Firewall. You can use the Host Scan modules of Cisco Secure Desktop to scan for personal firewall applications and updates that are running on the remote computer. For a description of the elements in the dialog box, see Add/Edit DAP Entry Dialog Box > Personal Firewall.

Policy—Creates an endpoint attribute of type Policy. See Add/Edit DAP Entry Dialog Box > Policy.

Process—Process name checking to be performed by Basic Host Scan must be explicitly configured using Cisco Secure Desktop Manager. See Add/Edit DAP Entry Dialog Box > Process.

Registry—Creates an endpoint attribute of type Registry. Registry key scans apply only to computers running Windows Microsoft Windows operating systems. See Add/Edit DAP Entry Dialog Box > Registry.

Description

Additional information about the dynamic access policy (up to 1024 characters).

Main tab

Enables you to add a dynamic access policy entry and set attributes for the access policy depending on the type of remote access that you configure.

For a description of the elements on this tab, see Main Tab.

Logical Operators tab

Enables you to create multiple instances of each type of endpoint attribute.

For a description of the elements on this tab, see Logical Operators Tab.

Advanced Expressions tab

Enables you to configure multiple instances of each type of endpoint attribute.

For a description of the elements on this tab, see Advanced Expressions Tab.


Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco

To configure AAA attributes as selection criteria for dynamic access policies, in the Add/Edit DAP Entry dialog box, set AAA Attributes Cisco as the selection criterion to be used to select and apply the dynamic access policies during session establishment. You can set these attributes either to match or not match the value you enter. There is no limit for the number of AAA attributes for each dynamic access policy.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select AAA Attributes Cisco as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-29 Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco 

Element
Description

Criterion

Shows AAA Attributes Cisco as the selection criterion.

Class

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the name of the AAA server group associated with the user. The maximum length is 64 characters.

AAA server groups represent collections of authentication servers focused on enforcing specific aspects of your overall network security policy.

IP Address

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the assigned IP address.

Addresses are predefined network objects. You can also click Select to open a dialog box that lists all available network hosts, and in which you can create or edit network host objects.

Member-of

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter a comma-separated string of group policy names that apply to the user. This attribute lets you indicate multiple group membership. The maximum length is 128 characters.

Username

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the username of the authenticated user. A maximum of 64 characters is allowed.

Connection Profiles

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and select the connection profile from a list of all the SSL VPN Connection Profile policies defined on the security appliance.

An SSL VPN connection profile comprises a set of records that contain VPN tunnel connection profile policies, including the attributes that pertain to creating the tunnel itself.

Note For a description of the procedure to configure an SSL VPN Connection Profiles policy, see Configuring Connection Profiles (ASA), page 26-18.


Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP

The LDAP client stores all native LDAP response attribute value pairs in a database associated with the AAA session for the user. The LDAP client writes the response attributes to the database in the order in which it receives them. It discards all subsequent attributes with that name. This scenario might occur when a user record and a group record are both read from the LDAP server. The user record attributes are read first, and always have priority over group record attributes.

To support Active Directory group membership, the AAA LDAP client provides special handling of the LDAP memberOf response attribute. The AD memberOf attribute specifies the DN string of a group record in AD. The name of the group is the first CN value in the DN string. The LDAP client extracts the group name from the DN string and stores it as the AAA memberOf attribute, and in the response attribute database as the LDAP memberOf attribute. If there are additional memberOf attributes in the LDAP response message, then the group name is extracted from those attributes and is combined with the earlier AAA memberOf attribute to form a comma separated string of group names, also updated in the response attribute database.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select AAA Attributes LDAP as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-30 Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP 

Element
Description

Criterion

Shows AAA Attributes LDAP as the selection criterion.

Attribute ID

Specify the name of the LDAP attribute map in the dynamic access policy. LDAP attribute maps take the attribute names that you define and map them to Cisco-defined attributes. A maximum of 64 characters is allowed.

Value

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the custom map value that maps to a Cisco Map Value or enter the Cisco map value that maps to the Custom Map Value.

The attribute map is populated with value mappings that apply customer, user-defined attribute values to the customer attribute name and to the matching Cisco attribute name and value.


Add/Edit DAP Entry Dialog Box > AAA Attributes RADIUS

The RADIUS client stores all native RADIUS response attribute value pairs in a database associated with the AAA session for the user. The RADIUS client writes the response attributes to the database in the order in which it receives them. It discards all subsequent attributes with that name. This scenario might occur when a user record and a group record are both read from the RADIUS server. The user record attributes are read first, and always have priority over group record attributes.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select AAA Attributes RADIUS as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-31 Add/Edit DAP Entry Dialog Box > AAA Attributes RADIUS 

Element
Description

Criterion

Shows AAA Attributes RADIUS as the selection criterion.

Attribute ID

Specify the name of the RADIUS attribute name or number in the dynamic access policy. A maximum of 64 characters is allowed.

RADIUS attribute names do not contain the cVPN3000 prefix to better reflect support for all three security appliances (VPN 3000, PIX, and the ASA). The appliances enforce the RADIUS attributes based on attribute numeric ID, not attribute name. LDAP attributes are enforced by their name, not by the ID.

Value

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the attribute value.


Add/Edit DAP Entry Dialog Box > Anti-Spyware

You can use the Host Scan feature of the Cisco Secure Desktop feature to enable Endpoint Assessment, a scan for antivirus, personal firewall, and antispyware applications and updates that are running on the remote computer. Following the configuration of the prelogin policies and host scan options, you can configure a match of any one or any combination of the Host Scan results to assign a dynamic access policy following the user login.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Anti-Spyware as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-32 Add/Edit DAP Entry Dialog Box > Anti-Spyware 

Element
Description

Criterion

Shows Anti-Spyware as the selection criterion.

Type

Select the matching criteria to indicate whether the selected endpoint attribute and its accompanying qualifiers (fields below the Product ID field) should be present or not.

Vendor Name

Select the text that describes the application vendor from the list.

Product ID

Select a unique identifier for the product that is supported by the selected vendor from the list.

Product Description

Available only if you selected Matches as the Type.

Select the check box, then select the description of the product from the list.

Version

Available only if you selected Matches as the Type.

Identify the version of the application, and specify whether you want the endpoint attribute to be equal to/not equal to that version.

Last Update

Available only if you selected Matches as the Type.

Specify the number of days since the last update. You might want to indicate that an update should occur in less than or greater than the number of days you enter here.


Add/Edit DAP Entry Dialog Box > Anti-Virus

You can configure a scan for antivirus applications and updates as a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection. Following the prelogin assessment, Cisco Secure Desktop loads Endpoint Assessment checks and reports the results back to the security appliance for use in assigning a dynamic access policy.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Anti-Virus as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-33 Add/Edit DAP Entry Dialog Box > Anti-Virus 

Element
Description

Criterion

Shows Anti-Virus as the selection criterion.

Type

Select the matching criteria to indicate whether the selected endpoint attribute and its accompanying qualifiers (fields below the Product ID field) should be present or not.

Vendor Name

Select the text that describes the application vendor from the list.

Product ID

Select a unique identifier for the product that is supported by the selected vendor from the list.

Product Description

Available only if you selected the criteria to match the endpoint attribute for the dynamic access policy.

Select the check box, then select the description of the product from the list.

Version

Available only if you selected the criteria to match the endpoint attribute for the dynamic access policy.

Identify the version of the application, and specify whether you want the endpoint attribute to be equal to/not equal to that version.

Last Update

Available only if you selected the criteria to match the endpoint attribute for the dynamic access policy.

Specify the number of days since the last update. You might want to indicate that an update should occur in less than or greater than the number of days you enter here.


Add/Edit DAP Entry Dialog Box > Application

Use this dialog box to indicate the type of remote access connection as the endpoint attribute for the dynamic access policy.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Application as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-34 Add/Edit DAP Entry Dialog Box > Application 

Element
Description

Criterion

Shows Application as the selection criterion.

Client Type

Select the check box, then select the matching criteria (for example, isor isn't) from the drop-down list, and specify the type of remote access connection from the list: AnyConnect, Clientless, Cut-through Proxy, IPsec, or L2TP.

Note If you select AnyConnect as the client type, make sure to enable Cisco Secure Desktop. If it is not enabled, Security Manager generates an error.


Add/Edit DAP Entry Dialog Box > Device

The DAP Device Criterion lets you provide specific device information for use during the associated prelogin policy checking. You can provide one or more of the following attributes for a device—host name, MAC address, port number, Privacy Protection selection—and indicate whether each is or isn't to be matched.

Note that isn't is exclusionary. For example, if you specify the criterion Host Name isn't zulu_2, all devices not named zulu_2 will match.

Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Choose Device as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-35 Add/Edit DAP Entry Dialog Box > Device 

Element
Description

Criterion

Shows Device as the selected Criterion.

Host Name

Select this option, choose a match criterion (is or isn't) from the related drop-down list, and then enter the device host name to be matched.

MAC Address

Select this option, choose a match criterion (is or isn't) from the related drop-down list, and then enter the device's MAC address to be matched.

Port Number

Select this option, choose a match criterion (is or isn't), and then enter or Select the device port to be matched.

Privacy Protection

Select this option, choose a match criterion (is or isn't), and then choose the Privacy Protection option defined on the device: none, cache cleaner, or secure desktop.


Add/Edit DAP Entry Dialog Box > File

The file criterion prelogin check lets you specify that a certain file must or must not exist to be eligible for the associated prelogin policy. For example, you might want to use a file prelogin check to ensure a corporate file is present or one or more peer-to-peer file-sharing programs containing malware are not present before assigning a prelogin policy.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select File as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-36 Add/Edit DAP Entry Dialog Box > File 

Element
Description

Criterion

Shows File as the selection criterion.

Type

Specify whether this endpoint attribute must match or not match the criteria configured for selecting and applying dynamic access policies during session establishment.

Endpoint ID

Select a string that identifies an endpoint for files. Dynamic access policies use this ID to match Cisco Secure Desktop host scan attributes for dynamic access policy selection. You must configure Host Scan before you configure this attribute. When you configure Host Scan, the configuration displays in this pane, so you can select it, reducing the possibility of errors in typing or syntax.

Filename

Specify the filename.

Last Update

Available only if you selected the criteria to match the endpoint attribute for the dynamic access policy.

Specify the number of days since the last update. You might want to indicate that an update should occur in less than (<) or more than (>) the number of days you enter here.

Checksum

Available only if you selected the criteria to match the endpoint attribute for the DAP record.

Select the check box to specify a checksum to authenticate the file, then enter a checksum in hexadecimal format, beginning with 0x.


Add/Edit DAP Entry Dialog Box > NAC

NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue applications by performing endpoint compliancy and vulnerability checks as a condition for production access to the network. We refer to these checks as posture†validation. You can configure posture validation to ensure that the anti-virus files, personal firewall rules, or intrusion protection software on a host with an AnyConnect or Clientless SSL VPN session are up-to-date before providing access to vulnerable hosts on the intranet. Posture validation can include the verification that the applications running on the remote hosts are updated with the latest patches. NAC occurs only after user authentication and the setup of the tunnel. NAC is especially useful for protecting the enterprise network from hosts that are not subject to automatic network policy enforcement, such as home PCs. The security appliance uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate the posture of remote hosts.

The establishment of a tunnel between the endpoint and the security appliance triggers posture validation. You can configure the security appliance to pass the IP address of the client to an optional audit server if the client does not respond to a posture validation request. The audit server, such as a Trend server, uses the host IP address to challenge the host directly to assess its health. For example, it may challenge the host to determine whether its virus checking software is active and up-to-date. After the audit server completes its interaction with the remote host, it passes a token to the posture validation server, indicating the health of the remote host.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select NAC as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-37 Add/Edit DAP Entry Dialog Box > NAC 

Element
Description

Criterion

Shows NAC as the selection criterion.

Posture Status

Select the matching criteria (for example, is) from the drop-down list, then enter the posture token string received from ACS.


Add/Edit DAP Entry Dialog Box > Operating System

The prelogin assessment includes a check for the OS attempting to establish a VPN connection. When the user attempts to connect, however, Cisco Secure Desktop checks for the OS, regardless of whether you insert an OS prelogin check.

If the prelogin policy assigned to the connection has Secure Desktop (Secure Session) enabled and if the remote PC is running Microsoft Windows XP or Windows 2000, it installs Secure Session, regardless of whether you insert an OS prelogin check. If the prelogin policy has Secure Desktop enabled and the operating system is Microsoft Windows Vista, Mac OS X 10.4, or Linux, Cache Cleaner runs instead. Therefore, you should make sure the Cache Cleaner settings are appropriate for a prelogin policy on which you have configured Secure Desktop or Cache Cleaner to install. Although Cisco Secure Desktop checks for the OS, you may want to insert an OS prelogin check as a condition for applying a prelogin policy to isolate subsequent checks for each OS.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Operating System as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-38 Add/Edit DAP Entry Dialog Box > Operating System 

Element
Description

Criterion

Shows Operating System as the selection criterion.

OS Version

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and select the OS version from the list: Windows (various), MAC, Linux, Pocket PC.

Service Pack

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and select the service pack for the operating system.


Add/Edit DAP Entry Dialog Box > Personal Firewall

You can click Host Scan in the Cisco Secure Desktop interface to enable Endpoint Assessment, a scan for personal firewalls that are running on the remote computer. Most, but not all, personal firewall programs support active scan, which means that the programs are memory-resident, and therefore always running.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select AAA Attributes Cisco as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-39 Add/Edit DAP Entry Dialog Box > Personal Firewall 

Element
Description

Criterion

Shows Personal Firewall as the selection criterion.

Type

Select one of the following options and assign the associated values:

Matches—Select if the mere presence of the named personal firewall on the remote PC is sufficient to match the prelogin policy you are configuring.

Doesn't Match—Select if the absence of the named personal firewall from the remote PC is sufficient to match the prelogin policy you are configuring.

Vendor Name

Select the text that describes the application vendor from the list.

Product ID

Select a unique identifier for the product that is supported by the selected vendor from the list.

Product Description

Available only if you selected that this endpoint attribute and all its settings must be available on the remote PC.

Select the check box, then select the description of the product from the list.

Version

Available only if you selected that this endpoint attribute and all its settings must be available on the remote PC.

Identify the version of the application, and specify whether you want the endpoint attribute to be equal to/not equal to that version.


Add/Edit DAP Entry Dialog Box > Policy

Windows locations let you determine how clients connect to your virtual private network, and protect it accordingly. For example, clients connecting from within a workplace LAN on a 10.x.x.x network behind a NAT device are an unlikely risk for exposing confidential information. For these clients, you might set up a Cisco Secure Desktop Windows Location named Work that is specified by IP addresses on the 10.x.x.x network, and disable both the Cache Cleaner and the Secure Desktop function for this location. Cisco Secure Desktop checks locations in the order listed on the Windows Location Settings window, and grants privileges to client PCs based on the first location definition they match.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Policy as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-40 Add/Edit DAP Entry Dialog Box > Policy 

Element
Description

Criterion

Shows Policy as the selection criterion.

Location

Select the matching criteria (for example, is) from the drop-down list, and select the Cisco Secure Desktop Microsoft Windows location profile from the list. All the locations configured in the Cisco Secure Desktop Manager are displayed in this list.


Add/Edit DAP Entry Dialog Box > Process

You can specify a set of process names, which form a part of Basic Host Scan. The host scan, which includes Basic Host Scan and Endpoint Assessment, or Advanced Endpoint Assessment; occurs after the prelogin assessment but before the assignment of a dynamic access policy. Following the Basic Host Scan, the security appliance uses the login credentials, the host scan results, prelogin policy, and other criteria you configure to assign a DAP.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Process as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-41 Add/Edit DAP Entry Dialog Box > Process 

Element
Description

Criterion

Shows Process as the selection criterion.

Type

Select one of the following options and assign the associated values:

Matches—Select if the mere presence of the named process on the remote PC is sufficient to match the prelogin policy you are configuring.

Doesn't Match—Select if the absence of the named process from the remote PC is sufficient to match the prelogin policy you are configuring.

Endpoint ID

A string that identifies an endpoint for files, processes or registry entries. Dynamic access policies use this ID to match Cisco Secure Desktop host scan attributes for dynamic access policy selection. You must configure Host Scan before you configure this attribute. When you configure Host Scan, the configuration displays in this pane, so you can select it, reducing the possibility of errors in typing or syntax.

Path

Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the name of the process. You can display it in Microsoft Windows by opening the Windows Task Manager window and clicking the Processes tab.

Configure Host Scan before you configure this attribute. When you configure Host Scan, the configuration displays in this pane, so you can select it and specify the same index when you assign this entry as an endpoint attribute when configuring a DAP, reducing the possibility of errors in typing or syntax.


Add/Edit DAP Entry Dialog Box > Registry

Registry key scans apply only to computers running Windows Microsoft Windows operating systems. Basic Host Scan ignores registry key scans if the computer is running Mac OS or Linux.


Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Registry as the Criterion.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-42 Add/Edit DAP Entry Dialog Box > Registry 

Element
Description

Criterion

Shows Registry as the selection criterion.

Type

Select one of the following options and assign the associated values:

Matches—Select if the mere presence of the named registry key on the remote PC is sufficient to match the prelogin policy you are configuring. For example, select this option if you want to require the following registry key to be present to match a criterion for assigning a prelogin policy: HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>

Doesn't Match—Select if the absence of the named registry key from the remote PC is sufficient to match the prelogin policy you are configuring. For example, select this option if you want to require the following registry key to be absent to match a criterion for assigning a prelogin policy: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<Evil_SpyWare>

Registry Name

Select the text that describes the registry name from the list.

Endpoint ID

A string that identifies an endpoint for files, processes or registry entries. Dynamic access policies use this ID to match Cisco Secure Desktop host scan attributes for dynamic access policy selection. You must configure Host Scan before you configure this attribute. When you configure Host Scan, the configuration displays in this pane, so you can select it, reducing the possibility of errors in typing or syntax.

Value

Select the value, dword or string, from the list, then select the matching criteria (whether it equals or does not equal), and enter a decimal or a string to compare with the dword or string value of the registry key on the remote PC.

Note "DWORD" refers to the attribute in the Add/Edit Registry Criterion dialog box. "Dword" refers to the attribute as it appears in the registry key. Use the regedit application, accessed on the Windows command line, to view the Dword value of a registry key, or use it to add a Dword value to the registry key to satisfy the requirement you are configuring.

Ignore Case

When selected, ignores the case in the registry entry if it includes a string.


Logical Operators Tab

Use the Logical Operators tab of the Add/Edit Dynamic Access Policy dialog box to configure multiple instances of the AAA and each type of endpoint attribute that you defined in the DAP Entry dialog box. On this tab, set each type of endpoint or AAA attribute to require only one instance of a type (Match Any = OR) or to have all instances of a type (Match All = AND).

If you configure only one instance of an endpoint category, you do not need to set a value.

For some endpoint attributes, it is not useful to configure multiple instances. For example, no users have more than one running OS.

You are configuring the Match Any/Match All operation within each endpoint type. The security appliance evaluates each type of endpoint attribute, and then performs a logical AND operation on all of the configured endpoints. That is, each user must satisfy the conditions of ALL of the endpoints you configure, as well as the AAA attributes.

Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box, then click the Logical Operators tab.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-43 Add/Edit Dynamic Access Policy Dialog Box > Logical Operators Tab 

Element
Description

AAA

Select one of the following options if you defined the AAA attribute in the dynamic access policy:

Match Any—Creates an OR relationship among the attributes. Attributes matching any of your criteria are included in the filter. The security appliance grants access to a particular user for a particular session even if any one of the attributes is matching all your criteria.

Match All—Creates an AND relationship among the attributes. The security appliance grants access to a particular user for a particular session only if the attributes are matching all your criteria.

Match None—Creates a NOT relationship among the attributes. The dynamic access policy specifies that none of the attributes of the user need to match to be granted access to a session.

Anti-Spyware

Select one of the following options if you defined Anti-Spyware as an endpoint attribute:

Match Any—Creates an OR relationship among the attributes. Policies matching any instance of your criteria are used to authorize users.

Match All—Creates an AND relationship among the attributes. Only those attributes matching all your criteria are used to authorize users.

Anti-Virus

Select one of the following options if you defined Anti-Virus as an endpoint attribute:

Match Any—Set to require that user authorization attributes match any of the values in the Antivirus endpoint attributes you are configuring.

Match All—Set to require that user authorization attributes match all of the values in the endpoint attributes you are configuring, as well as satisfying the AAA attribute.

Application

Select one of the following options if you defined Application as an endpoint attribute:

Match Any—Set to require that user authorization attributes match any of the values in the Antivirus endpoint attributes you are configuring.

Match All—Set to require that user authorization attributes match all of the values in the endpoint attributes you are configuring, as well as satisfying the AAA attribute.

File

Select one of the following options if you defined File as an endpoint attribute:

Match Any—Set to require that user authorization attributes match any of the values in the Antivirus endpoint attributes you are configuring.

Match All—Set to require that user authorization attributes match all of the values in the endpoint attributes you are configuring, as well as satisfying the AAA attribute.

Policy

Select one of the following options if you defined Policy as an endpoint attribute:

Match Any—Set to require that user authorization attributes match any of the values in the Antivirus endpoint attributes you are configuring.

Match All—Set to require that user authorization attributes match all of the values in the endpoint attributes you are configuring, as well as satisfying the AAA attribute.

Personal Firewall

Personal firewall rules let you specify applications and ports for the firewall to allow or block. Select one of the following options if you defined Personal Firewall as an endpoint attribute:

Match Any—Set to require that user authorization attributes match any of the values in the Antivirus endpoint attributes you are configuring.

Match All—Set to require that user authorization attributes match all of the values in the endpoint attributes you are configuring, as well as satisfying the AAA attribute.

Process

Select one of the following options if you defined Process as an endpoint attribute:

Match Any—Set to require that user authorization attributes match any of the values in the Antivirus endpoint attributes you are configuring.

Match All—Set to require that user authorization attributes match all of the values in the endpoint attributes you are configuring, as well as satisfying the AAA attribute.

Registry

Registry key scans apply only to computers running Windows Microsoft Windows operating systems. Basic Host Scan ignores registry key scans if the computer is running Mac OS or Linux.

Select one of the following options if you defined Registry as an endpoint attribute:

Match Any—Set to require that user authorization attributes match any of the values in the Antivirus endpoint attributes you are configuring.

Match All—Set to require that user authorization attributes match all of the values in the endpoint attributes you are configuring, as well as satisfying the AAA attribute.


Advanced Expressions Tab

Use the Advanced Expressions tab of the Add/Edit Dynamic Access Policy dialog box to set additional attributes for the dynamic access policy. You can configure multiple instances of each type of endpoint attribute. Be aware that this is an advanced feature that requires knowledge of LUA (www.lua.org).


Note For detailed information about advanced expressions, see About Advanced Expressions for AAA or Endpoint Attributes and Examples of DAP Logical Expressions.


Navigation Path

Open the Add/Edit Dynamic Access Policy Dialog Box, then click the Advanced Expressions tab.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Field Reference

Table 27-44 Add/Edit Dynamic Access Policy Dialog Box > Advanced Expressions Tab 

Element
Description

Basic Expressions

This text box is populated with basic expressions based on the endpoint and AAA attributes that you configured in the dynamic access policy.

Relationship Drop-down List

Specify the relationship between the basic selection rules and the logical expressions you enter on this tab, that is, whether the new attributes add to or substitute for the AAA and endpoint attributes already set. Select one of the following options:

Basic AND Advanced—Creates an AND relationship between the basic and advanced expressions. Both the basic and advanced expressions defined in the dynamic access policy are considered while authenticating users.

By default, this option is selected.

Basic OR Advanced—Creates an OR relationship between the basic and advanced expressions. Users are granted access to a session if either the basic or advanced expressions in the dynamic access policy are matched with the user policy.

Basic Only—Only the basic expressions defined in the DAP entry are used to determine whether the security appliance grants users access to a particular session.

Advanced Only—Only the advanced expressions defined in the DAP entry are used to authorize users for an SSL VPN session.

Advanced Expressions

Enter one or more logical expressions to set AAA or endpoint attributes other than what is possible in the AAA and Endpoint areas above.

Enter free-form LUA text that defines new AAA and/or endpoint selection attributes. Security Manager does not validate text that you enter here; it just copies this text to the dynamic access policy XML file, and the security appliance processes it, discarding any expressions it cannot parse.


Cisco Secure Desktop Manager Policy Editor Dialog Box

Using the Cisco Secure Desktop Manager (CSDM) Policy Editor dialog box, you can configure prelogin policies, specify the checks to be performed between the time the user establishes a connection with the security appliance and the time the user enters the login credentials, and configure host scans. For an explanation of configuring CSD on an ASA device, see Configuring Cisco Secure Desktop Policies on ASA Devices, page 26-26.


Note The Cisco Secure Desktop Manager Policy Editor is an independent program. For information about configuring CSD, and what CSD can do for you, see the materials available online at http://www.cisco.com/en/US/products/ps6742/tsd_products_support_configure.html. Look specifically for information on configuring prelogin policies and host scan. Select the configuration guide for the CSD version you are configuring.


Navigation Path

Open the Dynamic Access Page (ASA), then click Configure from the Cisco Secure Desktop section (you must first specify a CSD package). The CSDM Policy Editor dialog box is displayed.

Related Topics

Understanding DAP Attributes, page 26-22

Configuring DAP Attributes, page 26-25

Configuring Dynamic Access Policies, page 26-20

Global Settings Page

Use the Global Settings page to define global settings for IKE, IPsec, NAT, and fragmentation that apply to devices in your remote access VPN.

Navigation Path

(Device View) Select Remote Access VPN > Global Settings from the Policy selector.

(Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector. Select an existing policy or create a new one.

Table 27-45 Global Settings Page 

Element
Description

ISAKMP/IPsec Settings tab

Enables you to specify global settings for IKE and IPsec.

For a description of the elements on this tab, see ISAKMP/IPsec Settings Tab.

NAT Settings tab

Enables you to specify global Network Address Translation (NAT) settings to enable devices that use internal IP addresses to send and receive data through the Internet.

For a description of the elements on this tab, see NAT Settings Tab.

General Settings tab

Enables you to define fragmentation settings and other global settings on devices in your remote access VPN.

For a description of the elements on this tab, see General Settings Tab.


ISAKMP/IPsec Settings Tab

Use the ISAKMP/IPsec Settings tab of the VPN Global Settings page to specify global settings for IKE and IPsec.

Navigation Path

Open the Global Settings Page, or click the ISAKMP/IPsec Settings tab from any other tab in the VPN Global Settings page.

Related Topics

Global Settings Page

Understanding Remote Access VPN Global Settings, page 26-28

Configuring Remote Access VPN Global Settings, page 26-28

Understanding IKE, page 22-1

Understanding IPsec Tunnel Policies, page 22-5

Understanding ISAKMP/IPsec Settings, page 22-13

Field Reference

Table 27-46 Global Settings > ISAKMP/IPsec Settings Tab 

Element
Description

ISAKMP Settings

Enable Keepalive

When selected, enables you to configure IKE keepalive as the default failover and routing mechanism for your devices.

Interval (seconds)

The number of seconds that a device waits between sending IKE keepalive packets. The default is 10 seconds.

Retry (seconds)

The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds.

Periodic

Available only if Enable Keepalive is selected and supported on routers running IOS version 12.3(7)T and later, except 7600 devices.

When selected, enables you to send dead-peer detection (DPD) keepalive messages even if there is no outbound traffic to be sent. Usually, DPD keepalive messages are sent between peer devices only when no incoming traffic is received but outbound traffic needs to be sent.

For more information, see Understanding ISAKMP/IPsec Settings, page 22-13.

Identity

During Phase I IKE negotiations, peers must identify themselves to each other. Select one of the following:

Address—Use the IP address of the host exchanging ISAKMP identity information.

Hostname—Use the fully-qualified domain name of the host exchanging ISAKMP identity information.

Distinguished Name (IOS devices only)—Use a distinguished name (DN) to identify a user group name.

Auto (ASA devices only)—Determine ISAKMP negotiation by connection type; IP address for preshared key or certificate distinguished name for certificate authentication.

SA Requests System Limit

Supported on routers running Cisco IOS Release 12.3(8)T and later, except 7600 routers.

The maximum number of SA requests allowed before IKE starts rejecting them.

You can enter a value in the range of 0-99999.

Note Make sure the value you enter equals or exceeds the number of peers connected to the device.

SA Requests System Threshold

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.

The percentage of system resources that can be used before IKE starts rejecting new SA requests.

IPsec Settings

Enable Lifetime

Select to enable you to configure the global lifetime settings for the crypto IPsec SAs on the devices in your remote access VPN.

Lifetime (secs)

The number of seconds a security association will exist before expiring. The default is 3,600 seconds (1 hour).

Lifetime (kbytes)

The volume of traffic (in kilobytes) that can pass between IPsec peers using a given security association before it expires. The default is 4,608,000 kilobytes.

Xauth Timeout (seconds)

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.

The number of seconds the device will wait for a system response to the Xauth challenge.

When negotiating tunnel parameters for establishing IPsec tunnels in a remote access configuration, Xauth adds another level of authentication that identifies the user who requests the IPsec connection. Using the Xauth feature, the client waits for a "username/password" challenge after the IKE SA was established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication.

Max Sessions

(ASA and PIX 7.0+ only.)

The maximum number of Security Associations (SAs) that can be enabled simultaneously on the device. The maximum number differs based on device model. For ASA devices, the limits are:

5505—10 sessions.

5510—250 sessions.

5520—750 sessions.

5540, 5550, 5580—5000 sessions.

5585—10000 sessions.

Enable IPsec via Sysopt (PIX and ASA only)

Supported on ASA devices, and PIX Firewalls versions 6.3 or 7.0.

When selected (the default), specifies that any packet that comes from an IPsec tunnel is implicitly trusted (permitted).


NAT Settings Tab

Use the NAT Settings tab of the Global Settings page to define global Network Address Translation (NAT) settings that enable devices that use internal IP addresses to send and receive data through the Internet.

Navigation Path

Open the Global Settings Page, then click the NAT Settings tab.

Related Topics

Understanding NAT, page 22-13

Global Settings Page

Understanding Remote Access VPN Global Settings, page 26-28

Configuring Remote Access VPN Global Settings, page 26-28

Field Reference

Table 27-47 Global Settings > NAT Settings Tab 

Element
Description

Enable Traversal Keepalive

When selected, enables you to configure NAT traversal keepalive on a device.

NAT traversal keepalive is used for the transmission of keepalive messages when there is a device (middle device) located between a VPN-connected hub and spoke, and that device performs NAT on the IPsec flow.

Note On Cisco IOS routers, NAT traversal is enabled by default. If you want to disable the NAT traversal feature, you must do this manually on the device or using a FlexConfig (see Chapter 7, "Managing FlexConfigs").

For more information, see Understanding NAT, page 22-13.

Interval

Available when NAT Traversal Keepalive is enabled.

The interval, in seconds, between the keepalive signals sent between the spoke and the middle device to indicate that the session is active. The NAT keepalive value can be from 5 to 3600 seconds. The default is 10 seconds.

Enable Traversal over TCP

Supported on PIX 7.0 and ASA devices.

When selected, encapsulates both the IKE and IPsec protocols within a TCP packet and enables secure tunneling through both NAT and PAT devices and firewalls.

TCP Ports

Available only when Enable Traversal over TCP is selected.

The TCP ports for which you want to enable NAT traversal. You must configure TCP ports on the remote clients and on the VPN device. The client configuration must include at least one of the ports you set for the security appliance. You can enter up to 10 ports.


General Settings Tab

Use the General Settings tab of the Global Settings page to define fragmentation settings and other global settings on devices in your remote access VPN.

Navigation Path

Open the Global Settings Page, then click the General Settings tab.

Related Topics

Understanding Fragmentation, page 22-15

Understanding Remote Access VPN Global Settings, page 26-28

Configuring Remote Access VPN Global Settings, page 26-28

Global Settings Page

Field Reference

Table 27-48 Global Settings > General Settings Tab 

Element
Description

Fragmentation Settings

Fragmentation mode

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.

Fragmentation minimizes packet loss in a VPN tunnel when packets are transmitted over a physical interface that cannot support the original size of the packet.

Select the required fragmentation mode option from the list:

No Fragmentation—Select if you do not want to fragment prior to IPsec encapsulation.

End to End MTU Discovery—Select to use ICMP messages for the discovery of MTU.

End-to-end MTU discovery uses Internet Control Message Protocol (ICMP) messages to determine the maximum MTU that a host can use to send a packet through the VPN tunnel without causing fragmentation.

Local MTU Handling—Select to set the MTU locally on the devices. This option is typically used when ICMP is blocked.

Local MTU Size

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices, when Local MTU Handling is the selected fragmentation mode option.

Note The permitted MTU size is between 68 and 65535 bytes depending on the VPN interface.

DF Bit

Supported on Cisco IOS routers, Catalyst 6500 /7600 devices, PIX 7.0 and ASA devices.

A Don't Fragment (DF) bit is a bit in an IP header that determines whether a device is allowed to fragment a packet.

Select the required setting for the DF bit:

Copy—To copy the DF bit from the encapsulated header in the current packet to all the device's packets. If the packet's DF bit is set to fragment, all packets will be fragmented.

Set—To set the DF bit in the packet you are sending. A packet that exceeds the MTU will be dropped and an ICMP message sent to the packet's initiator.

Clear—To cause the device to fragment packets regardless of the original DF bit setting. If ICMP is blocked, MTU discovery fails and packets are fragmented only after encryption.

Enable Fragmentation Before Encryption

Supported on Cisco IOS routers, Catalyst 6500 /7600 devices, PIX 7.0 and ASA devices.

When selected, enables fragmentation before encryption, if the expected packet size exceeds the MTU.

Lookahead Fragmentation (LAF) is used before encryption takes place to calculate the packet size that would result after encryption, depending on the transform sets configured on the IPsec SA. If the packet size exceeds the specified MTU, the packet will be fragmented before encryption.

Enable Notification on Disconnection

Supported on PIX 7.0 and ASA devices.

When selected, enables the device to notify qualified peers of sessions that are about to be disconnected. The peer receiving the alert decodes the reason and displays it in the event log or in a pop-up window. This feature is disabled by default.

IPsec sessions may be dropped for several reasons, such as, a security appliance shutdown or reboot, session idle timeout, maximum connection time exceeded, or administrator cut-off.

Enable Spoke-to-Spoke Connectivity through the Hub

Supported on PIX 7.0 and ASA devices.

When selected, enables direct communication between spokes in a hub-and-spoke VPN topology, in which the hub is an ASA or PIX 7.0 device.

Enable Default Route

Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.

When selected, the device uses the configured external interface as the default outbound route for all incoming traffic.


Group Policies Page

In the Group Policies page, you can view the user group policies defined for your ASA SSL VPN connection profile. From this page, you can specify new ASA user groups and edit existing ones.


Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic Access policy, an ASA device checks for Group policies that specify the setting.


Each row in the table represents an ASA group policy object, displaying the name of the policy object assigned to the SSL VPN connection profile, whether it is stored on the ASA device itself (Internal) or on a AAA server (External), and whether the group is for IPSec, SSL, or both types of VPN. For external groups, the protocol is unknown and listed as N/A.

To add an ASA group policy object, click the Add Row button. This opens an object selector, from which you can select an existing policy object or click the Create button to create a new object.

To edit an object, select it and click the Edit Row button to open the ASA Group Policies Dialog Box, page 28-1.

To delete an object from the policy, select it and click the Delete Row button. The associated policy objects are not deleted, they are only removed from this policy.

Navigation Path

(Device view) Select an ASA device, then select Remote Access VPN > Group Policies from the Policy selector.

(Policy view) Select Remote Access VPN > Group Policies (ASA) from the Policy selector. Select an existing policy or create a new one.

Related Topics

Creating Group Policies (ASA), page 26-31

Public Key Infrastructure Page

Use the Public Key Infrastructure page to select the CA servers to use for creating a Public Key Infrastructure (PKI) policy for generating enrollment requests for CA certificates.


Note To save the RSA key pairs and the CA certificates permanently to flash memory on a PIX Firewall version 6.3 between reloads, you must configure the ca save all command. You can do this manually on the device or by using a FlexConfig (see Chapter 7, "Managing FlexConfigs").


Navigation Path

(Device View) Select Remote Access VPN > Public Key Infrastructure from the Policy selector.

(Policy View) Select Remote Access VPN > Public Key Infrastructure from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

Understanding Public Key Infrastructure Policies, page 22-26

Configuring Public Key Infrastructure Policies, page 26-33

Configuring Public Key Infrastructure Policies, page 22-31

Field Reference

Table 27-49 Public Key Infrastructure Page 

Element
Description

Available CA Servers

Lists the CA servers available for selection.

Select the required CA servers and click >>.

CA servers are defined as PKI enrollments objects that contain server information and enrollment parameters required for creating enrollment requests for CA certificates.

If the required CA server is not included in the list, click Create to open the PKI Enrollment Dialog Box, page 28-33 that enables you to create a PKI enrollment object. You can also edit the properties of a CA server by selecting it and clicking Edit.

Note When creating or editing a PKI enrollment object, you must configure each remote component (spoke) with the name of the user group to which it connects. You specify this information in the Organization Unit (OU) field in the Certificate Subject Name tab of the PKI Enrollment Editor dialog box. In addition, the certificate issued to the client should have OU as the name of the user group. For more information, see PKI Enrollment Dialog Box—Certificate Subject Name Tab, page 28-40.

Selected CA Servers

The selected CA servers.

To remove a CA server from this list, select it and click <<. You can select more than one CA server at a time.


Certificate to Connection Profile Maps > Policies Page

Use the Policies page to configure the matching policies for any remote client connecting to the device.

Navigation Path

(Device View) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps > Policies from the Policy selector.

(Policy View) Select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps > Policies from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

Understanding Certificate to Connection Profile Map Policies (ASA), page 26-34

Configuring Certificate to Connection Profile Map Policies (ASA), page 26-35

Field Reference

Table 27-50 Certificate to Connection Profile Maps > Policies Page 

Element
Description

Use Configured Rules to Match a Certificate to a Group

When selected, the server uses the configured rules to establish authentication and determine which tunnel group to map the client to.

Use Certificate Organization Unit field to Determine the Group

When selected (default), the server uses the organizational unit (OU) field to establish authentication and determine which tunnel group to map the client to.

Use IKE Identity to Determine the Group

When selected (default), the server uses the IKE identity to establish authentication and determine which tunnel group to map the client to.

User Peer IP Address to Determine the Group

When selected (the default), the server uses the peer IP address to establish authentication and determine which tunnel group to map the client to.


Certificate to Connection Profile Maps > Rules Page

Use the Rules page to configure the matching rules and parameters for any remote client connecting to the device. These rules are used only if you select Use Configured Rules to Match a Certificate to a Group in the Certificate to Connection Profile Maps > Policies policy (see Certificate to Connection Profile Maps > Policies Page).


Note A connection profile must exist in the configuration before you can create and map a matching rule to it. If you unassign a connection profile after creating a matching rule, the rules that are mapped to the connection profile are unassigned. See Configuring Connection Profiles (ASA), page 26-18.


Navigation Path

(Device View only) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps > Policies from the Policy selector.

Related Topics

Understanding Certificate to Connection Profile Map Rules (ASA), page 26-35

Configuring Certificate to Connection Profile Map Rules (ASA), page 26-36

Field Reference

Table 27-51 Certificate to Connection Profile Maps > Rules Page 

Element
Description

Maps table

The connection profile maps for which connection rules are defined. Each row is a profile map, which includes a map name, the name of the connection profile that is being mapped, and the priority of the map (lower numbers have higher priority).

To configure rules for this map, select it and then use the rules table to create, edit, and delete the rules.

To add a map, click the Add Row button and fill in the Map Rule Dialog Box (Upper Table).

To edit map properties (not rules), select it and click the Edit Row button.

To delete an entire map, select it and click the Delete Row button.

Rules table

The rules for the map selected in the upper table. You must ensure that the map is actually selected in the upper table: the group title above the rules table should say "Details for (Connection Profile Name)."

When you select a map, the table shows all rules configured for the map, including the field (subject or issuer), certificate component, matching operator, and the value that the rule is looking for. The remote user must match all configured rules a map for the device to use the mapped connection profile.

To add a rule, click the Add Row button and fill in the Map Rule Dialog Box (Lower Table).

To edit a rule, select it and click the Edit Row button.

To delete a rule, select it and click the Delete Row button.

Default Connection Profile

Select the default connection profile to be used if no matching rules are found.


Map Rule Dialog Box (Upper Table)

Use the Map Rule dialog box, when opened for the maps table in the upper pane of the Certificate to Connection Profile Maps > Rules policy, to configure maps for which you can then configure rules in the lower pane of the Rules policy.

Navigation Path

On the Certificate to Connection Profile Maps > Rules Page, click Add Row in the upper pane or select a row in the upper table and click Edit Row.

Related Topics

Certificate to Connection Profile Maps > Rules Page

Map Rule Dialog Box (Lower Table)

Field Reference

Table 27-52 Map Rule Dialog Box (Upper Pane) 

Element
Description

Connection Profile

Select the connection profile for which you are creating matching rules. Clients attempting to connect to this connection profile must satisfy the associated matching rule conditions to connect to the device.

Priority

The priority number of the matching rule. A lower number has a higher priority. For example, a matching rule with a priority number of 2, has a higher priority than a matching rule with a priority number of 5.

If you create multiple maps, they are processed in priority order, and the first matching rule determines to which profile the user is mapped.

Map Name

The name of the connection profile map.


Map Rule Dialog Box (Lower Table)

Use the Map Rule dialog box, when opened for the rules table in the lower pane of the Certificate to Connection Profile Maps > Rules policy, to configure rules for the map selected in the maps table (upper pane of the Rules policy).

Navigation Path

On the Certificate to Connection Profile Maps > Rules Page, click Add Row in the lower pane or select a row in the lower table and click Edit Row.

Related Topics

Certificate to Connection Profile Maps > Rules Page

Map Rule Dialog Box (Upper Table)

Field Reference

Table 27-53 Map Rule Dialog Box (Lower Pane) 

Element
Description

Field

Select the field for the matching rule according to the Subject or the Issuer of the client certificate.

Component

Select the component of the client certificate to use for the matching rule.

Operator

Select the operator for the matching rule as follows:

Equals—The certificate component must match the entered value. If they do not match exactly, the connection is denied.

Contains—The certificate component must contain the entered value. If the component does not contain the value, the connection is denied.

Does Not Equal—The certificate component cannot equal the entered value. For example, for a selected certificate component of Country, and an entered value of USA, if the client county value equals USA, then the connection is denied.

Does Not Contain—The certificate component cannot contain the entered value. For example, for a selected certificate component of Country, and an entered value of USA, if the client county value contains USA, the connection is denied.

Value

The value of the matching rule. The value entered is associated with the selected component and operator.


High Availability Page

Use the High Availability page to configure a High Availability (HA) policy on a Cisco IOS router or Cisco Catalyst switch in a remote access VPN.

Navigation Path

(Device View) Select an IOS or Catalyst device; then select Remote Access VPN > IPSec VPN > High Availability from the Policy selector.

(Policy View) Select Remote Access VPN > IPSec VPN > High Availability from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

Understanding High Availability in Remote Access VPNs (IOS), page 26-41

Configuring a High Availability Policy, page 26-41

Field Reference

Table 27-54 High Availability Page 

Element
Description

Inside Virtual IP

The IP address that will be shared by the hubs in the HA group and will represent the inside interface of the HA group. The virtual IP address must be on the same subnet as the inside interfaces of the hubs in the HA group.

Note You must provide an inside virtual IP that matches the subnet of one of the interfaces on the device, in addition to a VPN virtual IP that matches the subnet of one of the device's interfaces and is configured with an IPsec proposal; otherwise an error is displayed.

Note If there is an existing standby group on the device, make sure that the IP address you provide is different from the virtual IP address already configured on the device.

You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address will be allocated.

Inside Mask

The subnet mask for the inside virtual IP address.

VPN Virtual IP

The IP address that will be shared by the hubs in the HA group and will represent the VPN interface of the HA group. This IP address will serve as the hub endpoint of the VPN tunnel.

You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address will be allocated.

Note If there is an existing standby group on the device, make sure that the IP address you provide is different from the virtual IP address already configured on the device.

VPN Mask

The subnet mask for the VPN virtual IP address.

Hello Interval

The duration in seconds (within the range of 1-254) between each hello message sent by a hub to the other hubs in the group to indicate status and priority. The default is 5 seconds.

Hold Time

The duration in seconds (within the range of 2-255) that a standby hub will wait to receive a hello message from the active hub before concluding that the hub is down. The default is 15 seconds.

Standby Group Number (Inside)

The standby number of the inside hub interface that matches the internal virtual IP subnet for the hubs in the HA group. The number must be within the range of 0-255. The default is 1.

Standby Group Number (Outside)

The standby number of the outside hub interface that matches the external virtual IP subnet for the hubs in the HA group. The number must be within the range of 0-255. The default is 2.

Note The outside standby group number must be different to the inside standby group number.

Failover Server

The IP address of the inside interface of the remote peer device.

You can click Select to open the Network/Hosts Selector, from which you can select a host from which the IP address of the remote peer will be allocated.

Enable Stateful Failover

When selected, enables SSO for stateful failover.

Note In an Easy VPN topology, this check box appears selected and disabled, as stateful failover must always be configured.

You can only configure stateful failover on an HA group that contains two hubs that are Cisco IOS routers. This check box is disabled if the HA group contains more than two hubs.

Note When deselected in a Regular IPsec topology, stateless failover is configured on the HA group. Stateless failover will also be configured if the HA group contains more than two hubs. Stateless failover can be configured on Cisco IOS routers or Catalyst 6500/7600 devices.


IKE Proposal Page

Use the IKE Proposal page to select the IKE proposals to use for your remote access VPN server.

Navigation Path

(Device view) Select Remote Access VPN > IKE Proposal from the Policy selector.

(Policy view) Select Remote Access VPN > IKE Proposal from the Policy type selector and select an existing policy or create a new one.

Related Topics

Remote Access VPN Configuration Wizard

Understanding IKE, page 22-1

Understanding IKE Proposals in Remote Access VPNs, page 26-37

Configuring IKE Proposals on a Remote Access VPN Server, page 26-37

Deciding Which Encryption Algorithm to Use, page 22-2

Deciding Which Hash Algorithm to Use, page 22-2

Deciding Which Diffie-Hellman Group to Use, page 22-3

Deciding Which Authentication Method to Use, page 22-3

Field Reference

Table 27-55 IKE Proposal Page 

Element
Description

Available IKE Proposals

Lists the predefined IKE proposals available for selection.

Select the required IKE proposals and click >>.

IKE proposals are predefined objects. If the required IKE proposal is not included in the list, click Create to open the Add or Edit IKE Proposal Dialog Box, page 28-26 that enables you to create or edit an IKE proposal object.

Selected IKE Proposals

Lists the selected IKE proposals.

To remove an IKE proposal from this list, select it and click <<.

To modify the properties of an IKE proposal, select it and click Edit.


IPsec Proposal Page

An IPsec proposal defines the external interface through which remote access clients connect to the server, and the encryption and authentication algorithms used to protect the data in the VPN tunnel.

Use the IPsec Proposal page to create or edit IPsec policy definitions for your remote access VPN. For more information on IPsec proposals, see Understanding IPsec Tunnel Policies, page 22-5 and About Crypto Maps, page 22-6.

Navigation Path

(Device View) Select Remote Access VPN > IPSec VPN > IPsec Proposal from the Policy selector.

(Policy View) Select Remote Access VPN > IPSec VPN > IPsec Proposal from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

Understanding IPsec Proposals in Remote Access VPNs, page 26-38

Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39

Defining Accounts and Credential Policies, page 53-14

Remote Access VPN Configuration Wizard

IPsec Proposal Editor Dialog Box (for PIX and ASA Devices)

IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices)

Field Reference

Table 27-56 IPsec Proposal Page 

Element
Description

Endpoint

The external interface (or inside VLAN for a Catalyst 6500/7600 device) through which remote access clients will connect to the server.

Transform Sets

The transform set(s) selected for the policy (the default is tunnel_3des_sha).

Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel.

RRI

Shows whether Reverse Route Injection (RRI) is enabled or disabled on the crypto map for the support of VPN clients.

For more information, see About Reverse Route Injection, page 22-8.

AAA Authorization

If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows the name of the server groups selected to perform AAA authorization.

AAA Authentication

If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows the name of the server groups selected to perform AAA authentication.

VRF

If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows whether VRF is enabled or disabled.

DVTI

If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows whether DVTI is enabled or disabled.

Create button

Click to open the IPsec Proposal Editor dialog box to create an IPsec proposal.

If the device is a PIX Firewall or ASA device, see IPsec Proposal Editor Dialog Box (for PIX and ASA Devices).

If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices).

Edit button

Select the row of a proposal from the table, then click to open the IPsec Proposal Editor dialog box to edit the selected proposal.

If the device is a PIX Firewall or ASA device, see IPsec Proposal Editor Dialog Box (for PIX and ASA Devices).

If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices).

Delete button

Select the rows of one or more proposals, then click to delete.


IPsec Proposal Editor Dialog Box (for PIX and ASA Devices)

Use the IPsec Proposal Editor to create or edit an IPsec proposal for a device in your remote access VPN.

The elements in this dialog box differ according to the selected device. Table 27-57 describes the elements in the IPsec Proposal Editor dialog box when a PIX 7.0 or ASA device is selected.


Note For a description of the elements in the dialog box when a Cisco IOS router or Catalyst 6500/7600 is selected, see Table 27-58.


Navigation Path

Open the IPsec Proposal Page, then click Create, or select a proposal from the list and click Edit.

Related Topics

Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39

Understanding IPsec Tunnel Policies, page 22-5

Creating Interface Role Objects, page 6-56

Creating AAA Server Group Objects, page 6-37

Field Reference

Table 27-57 IPsec Proposal Editor (for PIX and ASA Devices) 

Element
Description

External Interface

The external interface (endpoint) through which remote access clients connect to the server.

An endpoint can be an interface or a set of interfaces that are defined by a particular interface role. Click Select to open a dialog box that lists all available interfaces and sets of interfaces defined by interface roles, and enables you to create interface role objects.

Transform Sets

The transform set or sets to use for your tunnel policy (the default is tunnel_3des_sha).

Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel.

A default transform set is displayed. If you want to use a different transform set or select additional transform sets, click Select to open a dialog box that lists all available transform sets and enables you to create transform set objects. For more information, see Add or Edit IPSec Transform Set Dialog Box, page 28-28.

If more than one of your selected transform sets is supported by both peers, the transform set that provides the highest security will be used.

Note You can select up to six transform sets.

For more information, see About Transform Sets, page 22-7.

Reverse Route Injection

Note Available only for ASA devices.

Select the required option to configure Reverse Route Injection (RRI) on the crypto map in your tunnel policy:

None—To disable the RRI configuration on the crypto map.

Standard—This is the default. It creates routes based on the destination information defined in the crypto map access control list (ACL).

For more information, see About Reverse Route Injection, page 22-8.

Enable Network Address Translation Traversal

Note Available only for ASA devices.

When selected (the default), enables you to configure NAT traversal on the device.

You use NAT traversal when a device (referred to as the middle device) is located between a VPN-connected hub and spoke, that performs NAT on the IPsec flow.

For more information, see Understanding NAT, page 22-13.


IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices)

Use the IPsec Proposal Editor to create or edit an IPsec proposal for a device in your remote access VPN.

If you select an IOS router, the IPsec Proposal Editor dialog box displays two tabs—General and Dynamic VTI/VRF Aware IPsec. If you select a Catalyst 6500/7600, the FWSM Settings tab is also displayed.

Click the appropriate tab to specify general IPsec settings, configure Dynamic VTI or VRF Aware IPsec, or both, on the selected device, or configure FWSM on a Catalyst 6500/7600 device.

The elements in this dialog box differ according to the selected device. Table 27-58 describes the elements on the General tab in the IPsec Proposal Editor dialog box when a Cisco IOS router or Catalyst 6500/7600 is selected.


Note For a description of the elements in the dialog box when a PIX 7.0+ or ASA device is selected is selected, see IPsec Proposal Editor Dialog Box (for PIX and ASA Devices).


Navigation Path

Open the IPsec Proposal Page, then click Create, or select a proposal from the list and click Edit. The IPsec Proposal Editor dialog box opens, displaying the General tab.

Related Topics

VPNSM/VPN SPA Settings Dialog Box

Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor)

Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39

Creating Interface Role Objects, page 6-56

Creating AAA Server Group Objects, page 6-37

Field Reference

Table 27-58 IPsec Proposal Editor > General Tab 

Element
Description

External Interface

Note Available only if the selected device is an IOS router.

The external interface through which remote access clients will connect to the server.

An external interface can be defined by a specific interface role. Interface roles are predefined objects. Click Select to open a dialog box that lists all available interfaces and sets of interfaces defined by interface roles, and enables you to create interface role objects.

Inside VLAN

Note Available only if the selected device is a Catalyst 6500/7600.

The inside VLAN that serves as the inside interface to the VPN Services Module (VPNSM) or VPN SPA. Click Select to open a dialog box in which you define the settings that enable you to configure a VPN Services Module (VPNSM) external interface or a VPN SPA blade on the Catalyst 6500/7600 device. See VPNSM/VPN SPA Settings Dialog Box.

For information about configuring a VPNSM, see Configuring VPNSM or VPN SPA/VSPA Endpoint Settings, page 21-38.

For information about configuring a VPN SPA, see Configuring VPNSM or VPN SPA/VSPA Endpoint Settings, page 21-38.

Transform Sets

The transform set or sets to use for your tunnel policy. Transform sets specify which authentication and encryption algorithms are used to secure the traffic in the tunnel.

A default transform set is displayed. If you want to use a different transform set or select additional transform sets, click Select to open a dialog box that lists all available transform sets and enables you to create transform set objects. For more information, see Add or Edit IPSec Transform Set Dialog Box, page 28-28.

If more than one of your selected transform sets is supported by both peers, the transform set that provides the highest security is used.

Note You can select up to six transform sets.

For more information, see About Transform Sets, page 22-7.

Reverse Route Injection

Select one of the following options to configure Reverse Route Injection (RRI) on the crypto map:

None—To disable the configuration of RRI on the crypto map.

Standard—The default. It creates routes according to the destination information defined in the crypto map access control list (ACL).

Remote Peer—To create two routes, one for the remote endpoint and one for route recursion to the remote endpoint through the interface to which the crypto map is applied.

Remote Peer IP—To specify an interface or address as the explicit next hop to the remote VPN device. Then click Select to open the Network/Hosts Selector, from which you can select the IP address of the remote peer to use as the next hop.

Note You can select the Allow Value Override per Device check box to override the default route, if required.

For more information, see About Reverse Route Injection, page 22-8.

Group Policy Lookup/AAA Authorization Method

The AAA authorization method list that defines the order in which the group policies are searched. Group policies can be configured on the local server or on an external AAA server.

Note The default is LOCAL.

Click Select to open a dialog box that lists all available AAA server groups and enables you to create AAA server group objects.

User Authentication (Xauth)/AAA Authentication Method

The AAA or Xauth user authentication method that defines the order in which user accounts are searched.

Note The default authentication method is LOCAL.

Xauth allows all Cisco IOS software AAA authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange.

For more information about defining user accounts, see Defining Accounts and Credential Policies, page 53-14.

Click Select to open a dialog box that lists all available AAA server groups and enables you to create AAA server group objects.


VPNSM/VPN SPA Settings Dialog Box


Note This dialog box is available only if the selected device is a Catalyst 6500/7600.


Use the VPNSM/VPN SPA Settings dialog box to specify the settings for configuring a VPN Services Module (VPNSM) or a VPN Shared Port Adapter (VPN SPA) on a Catalyst 6500/7600 device.


Note Before you define the VPNSM or VPN SPA settings, you must import your Catalyst 6500/7600 device to the Security Manager inventory and discover its interfaces. For more information, see Configuring VPNSM or VPN SPA/VSPA Endpoint Settings, page 21-38.

Before you configure VPNSM or VPN SPA with VRF-Aware IPsec on a device, verify that an IPsec proposal with VRF-Aware IPsec and an IPsec proposal without VRF-Aware IPsec were not configured on the device.


For more information about VPNSM or VPNSPA/VSPA, see Configuring VPNSM or VPN SPA/VSPA Endpoint Settings, page 21-38.

Navigation Path

In the General tab of the IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), click Select next to the Inside VLAN field.

Related Topics

IPsec Proposal Page

IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices)

Creating Interface Role Objects, page 6-56

Field Reference

Table 27-59 VPNSM/VPN SPA Settings Dialog Box 

Element
Description

Inside VLAN

The inside VLAN that serves as the inside interface to the VPNSM or VPN SPA, and to which the required crypto maps will be applied.

If required, click Select to open a dialog box that lists all available interfaces and sets of interfaces defined by interface roles, from which you can make your selection, or create interface role objects.

Slot

From the list of available slots, select the VPNSM blade slot number to which the inside VLAN interface is connected or the number of the slot in which the VPN SPA blade is inserted.

Subslot

The number of the subslot (0 or 1) on which the VPN SPA blade is installed.

Note If you are configuring a VPNSM, select the blank option.

External Port

The external port or VLAN that connects to the inside VLAN.

Note If VRF-Aware IPsec is configured on the device, the external port or VLAN must have an IP address. If VRF-Aware IPsec is not configured, the external port or VLAN must not have an IP address.

Click Select to open a dialog box that lists all available interfaces and sets of interfaces defined by interface roles, from which you can make your selection, or create interface role objects.

Note You must specify an interface or interface role that differs from the one specified for the inside VLAN.

Enable Failover Blade

When selected, enables you to configure a failover VPNSM or VPN SPA blade for intrachassis high availability.

Note A VPNSM blade and VPN SPA blade cannot be used on the same device as primary and failover blades.

Failover Slot

From the list of available slots, select the VPNSM blade slot number that serves as the failover blade, or the number of the slot in which the failover VPN SPA blade is inserted.

Failover Subslot

Select the number of the subslot (0 or 1) on which the failover VPN SPA blade is actually installed.

Note If you are configuring a VPNSM, select the blank option.


Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor)


Note The Dynamic VTI/VRF Aware IPsec tab is available only when the selected device is a Cisco IOS router or Catalyst 6500/7600.


Use the Dynamic VTI/VRF Aware IPsec tab of the IPsec Proposal Editor to configure VRF Aware IPsec settings (on a Cisco IOS router or Catalyst 6500/7600 device), configure a dynamic virtual interface on a Cisco IOS router, or do both, in your remote access VPN.

For more information, see:

Understanding VRF-Aware IPsec, page 21-13

Understanding IPsec Proposals in Remote Access VPNs, page 26-38

Navigation Path

In the IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), click the Dynamic VTI/VRF Aware IPsec tab.

Related Topics

IPsec Proposal Page

Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39

Understanding IPsec Tunnel Policies, page 22-5

Creating Interface Role Objects, page 6-56

Field Reference

Table 27-60 IPsec Proposal Editor > Dynamic VTI/VRF Aware IPsec Tab 

Element
Description

Enable Dynamic VTI

When selected, enables Security Manager to implicitly create a dynamic virtual template interface on an IOS router.

Note Dynamic VTI can be configured only on IOS routers running Cisco IOS Release 12.4(2)T and later, except 7600 devices. If the device does not support Dynamic VTI, an error message is displayed.

For more information, see PVC Dialog Box—QoS Tab, page 52-60.

Enable VRF Settings

When selected, enables you to configure VRF settings on the device for the selected hub-and-spoke topology.

Note To remove VRF settings that were defined for the VPN topology, deselect this check box.

User Group

When you configure a remote access VPN server, remote clients must have the same group name as the user group object configured on the VPN server so that they can connect to the device.

Enter the name of the user group policy object associated with the device, or click Select to select it from a list. You can also create new objects or edit existing ones from the selection list.

CA Server

Select the Certification Authority (CA) server to use for managing certificate requests for the device.

If the required CA server is not included in the list, click Select to open a dialog box that lists all available CA servers and enables you to create a PKI enrollment object. For more information, see PKI Enrollment Dialog Box, page 28-33.

For more information about IPsec configuration with CA servers, see Understanding Public Key Infrastructure Policies, page 22-26.

Virtual Template IP Type

Available if you selected the Enable Dynamic VTI check box.

Specify the virtual template interface to use by clicking one of the following radio buttons:

IP—To use an IP address as the virtual template interface. Then specify the private IP address in the IP field.

If required, click Select to open the Network/Hosts selector in which you can select a host to be used as the IP address.

Use Loopback Interface—To use the IP address taken from an existing loopback interface as the virtual template interface. Then, in the Role field, enter the interface or click Select to select it from the list of interface roles.

Note A virtual template IP address is configured only on a server in a remote access VPN.

VRF Solution

Available if you selected the Enable VRF Settings check box.

Click one of the following radio buttons to configure the required VRF solution:

1-Box (IPsec Aggregator + MPLS PE)—One device serves as the Provider Edge (PE) router that does the MPLS tagging of the packets in addition to IPsec encryption and decryption from the Customer Edge (CE) devices. For more information, see VRF-Aware IPsec One-Box Solution, page 21-13.

2-Box (IPsec Aggregator Only)—The PE device does only the MPLS tagging, while the IPsec Aggregator device does the IPsec encryption and decryption from the CEs. For more information, see VRF-Aware IPsec Two-Box Solution, page 21-14.

VRF Name

The name of the VRF routing table on the IPsec Aggregator. The VRF name is case-sensitive.

Route Distinguisher

The unique identifier of the VRF routing table on the IPsec Aggregator.

This unique route distinguisher maintains routing separation for each VPN across the MPLS core to the other PE routers.

The identifier can be in either of the following formats:

IP address:X (where X is in the range of 0-999999999).

N:X (where N is in the range of 0-65535, and X is in the range of 0-999999999).

Note You cannot override the RD identifier after deploying the VRF configuration to your device. To modify the RD identifier after deployment, you must manually remove it through the device CLI and then deploy again.

Interface Towards Provider Edge

Available only if the 2-Box radio button is selected.

The VRF forwarding interface on the IPsec Aggregator towards the PE device.

Note If the IPsec Aggregator (hub) is a Catalyst VPN service module, you must specify a VLAN.

Interfaces and VLANs are predefined interface role objects. If required, click Select to open a dialog box that lists all available interfaces and sets of interfaces defined by interface roles, in which you can make your selection or create interface role objects.

Routing Protocol

Available only if the 2-Box radio button is selected.

Select the routing protocol to use between the IPsec Aggregator and the PE.

If the routing protocol for the secured IGP differs from the routing protocol between the IPsec Aggregator and the PE, select the routing protocol for redistributing the routing to the secured IGP.

The options are BGP, EIGRP, OSPF, RIPv2, or Static route.

For information about these protocols, see Chapter 51, "Managing Routers".

AS Number

Available only if the 2-Box radio button is selected.

The number to use to identify the autonomous system (AS) area between the IPsec Aggregator and the PE.

If the routing protocol for the secured IGP differs from the routing protocol between the IPsec Aggregator and the PE, enter an AS number that identifies the secured IGP into which the routing will be redistributed from the IPsec Aggregator and the PE. This is relevant only if GRE or DMVPN are applied.

The AS number must be between 1 and 65535.

Process Number

Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF.

The routing process ID number to use to configure the routing between the IPsec Aggregator and the PE.

The process number must be between 1 and 65535.

OSPF Area ID

Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF.

The ID number of the area in which the packet belongs. You can enter any number from 0 to 4294967295.

Note All OSPF packets are associated with a single area, so all devices must have the same area ID number.

Redistribute Static Route

Available only if the 2-Box radio button is selected, and for any selected routing protocol other than Static route.

When selected, enables static routes to be advertised in the routing protocol configured on the IPsec Aggregator towards the PE device.

Note If this check box is deselected and Enable Reverse Route Injection is enabled (default) for the IPsec proposal, static routes are still advertised in the routing protocol on the IPsec Aggregator.

Next Hop IP Address

Available only if the 2-Box radio button is selected and if the selected routing protocol is Static.

The IP address of the provider edge device (or the interface that is connected to the IPSec aggregator).


User Group Policy Page

Use the User Group Policy page to specify user groups for your remote access IPSec VPN server.You can configure user groups on a Cisco IOS router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device.

Navigation Path

(Device view) Select Remote Access VPN > IPSec VPN > User Groups from the Policy selector.

(Policy view) Select Remote Access VPN > IPSec VPN > User Groups (IOS/PIX 6.x) from the Policy Type selector and select an existing policy or create a new one.

Related Topics

Remote Access VPN Configuration Wizard

Understanding User Group Policies (IOS), page 26-42

Configuring User Group Policies, page 26-43

Field Reference

Table 27-61 User Group Policy Page 

Element
Description

Available User Groups

Lists the predefined user groups available for selection.

Select the required user groups and click >>.

In Security Manager, user groups are objects. If the required user group is not in the list, click Create to open the User Groups Editor dialog box, which enables you to create or edit a user group object. See Add or Edit User Group Dialog Box, page 28-68.

Selected User Groups

Displays the selected user groups.

To remove a user group from this list, select it and click <<.

To modify the properties of a user group, select it and click Edit.


SSL VPN Access Policy Page

Use the SSL VPN Access Policy page to configure access parameters for your SSL VPN. For information about configuring an Access policy, see Configuring an Access Policy, page 26-45.

Navigation Path

(Device View) Select Remote Access VPN > SSL VPN > Access from the Policy selector.

(Policy View) Select Remote Access VPN > SSL VPN > Access (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

Access Interface Configuration Dialog Box

Understanding Interface Role Objects, page 6-55

Field Reference

Table 27-62 SSL VPN Access Policy Page 

Element
Description

Access Interface Table

The Access Interface table displays the access settings for each interface.

To configure access on an interface, click the Add button (see Access Interface Configuration Dialog Box).

To edit access settings for an interface, select the interface and click the Edit button (see Access Interface Configuration Dialog Box).

To delete access settings for an interface, select the interface and click the Delete button.

Port Number

The port to use for SSL VPN sessions. The default port is 443, for HTTPS traffic; the range is 1024 through 65535. If you change the port number, all current SSL VPN connections terminate, and current users must reconnect.

Note If HTTP port redirection is enabled, the default HTTP port number is 80.

Enter the name of a port list, or click Select to open the Port List Selector from which you can make your selection, or create a port list object. A port list object is a named definition of one or more port ranges that you use when defining service objects.

DTLS Port Number

Specify a separate UDP port for DTLS connections. The default port is 443.

Enter the name of a port list, or click Select to open the Port List Selector from which you can make your selection, or create a port list object. A port list object is a named definition of one or more port ranges that you use when defining service objects.

For details about DTLS, see Understanding SSL VPN Client Settings, page 26-56.

Fallback Trustpoint

Enter or select a trustpoint to use for interfaces that do not have a trustpoint assigned.

Default Idle Timeout

Amount of time, in seconds, that an SSL VPN session can be idle before the security appliance terminates it.

This value applies only if the Idle Timeout value in the group policy for the user is set to zero (0), which means there is no timeout value; otherwise the group policy Idle Timeout value takes precedence over the timeout you configure here. The minimum value you can enter is 60 seconds (1 minute). The default is 30 minutes (1800 seconds). Maximum is 24 hours (86400 seconds).

We recommend that you set this attribute to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the sessions database. If the Simultaneous Logins attribute for the group policy is set to one, the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again.

Max Session Limit

The maximum number of SSL VPN sessions allowed.

Be aware that the different ASA models support SSL VPN sessions as follows: ASA 5510 supports a maximum of 150; ASA 5520 maximum is 750; ASA 5540 maximum is 2500.

Allow Users to Select Connection Profile in Portal Page

When selected, includes a list of configured Connection Profiles (tunnel groups) on the SSL VPN end-user interface, from which users can select a profile when they log in.

When deselected, the user cannot select a profile on login.

Enable AnyConnect Access

When selected, allows SSL VPN client connections. For details about AnyConnect SSL VPN clients, see Understanding SSL VPN Client Settings, page 26-56.

Enable AnyConnect Essentials

When selected, enables the AnyConnect Essentials feature. For details about AnyConnect Essentials SSL VPN clients, see Understanding SSL VPN Client Settings, page 26-56.


Access Interface Configuration Dialog Box

Use the Access Interface Configuration dialog box to create or edit SSL VPN access on a security appliance interface.

Navigation Path

Open the SSL VPN Access Policy Page, then click Add Row below the table, or select a row in the table and click Edit Row.

Related Topics

Configuring an Access Policy, page 26-45

Understanding Interface Role Objects, page 6-55

Field Reference

Table 27-63 SSL VPN Access Policy Page > Access Interface Configuration Dialog Box 

Element
Description

Access Interface

Enter the interface on which you want to configure SSL VPN access.

You can click Select to open a dialog box from which you can select an interface from a list of interface or interface role objects.

Trustpoint

Enter or Select the previously defined trustpoint to be assigned to this interface.

Load Balancing Trustpoint

If load balancing is configured, you can enter or Select a secondary trustpoint to be assigned to this interface.

Allow Access

Select this option to enable VPN access via this interface. If the option is not selected, access is configured on the interface, but it is disabled.

Enable DTLS

When selected, enables Datagram Transport Layer Security (DTLS) on the interface and allows an AnyConnect VPN Client to establish an SSL VPN connection using two simultaneous tunnels—an SSL tunnel and a DTLS tunnel.

Check Client Certificate

When selected, a valid digital certificate is required from the client for connection.


SSL VPN Other Settings Page

Use the SSL VPN Other Settings page to define global settings for caching, content rewriting, character encoding, proxy, and memory size definitions that apply to devices in your VPN topology.

For more information, see Configuring Other SSL VPN Settings, page 26-46.

These tabs are available on the SSL VPN Other Settings page.

Performance Tab

Content Rewrite Tab

Encoding Tab

Proxy Tab

Plug-in Tab

SSL VPN Client Settings Tab

Advanced Tab

Navigation Path

(Device View) Select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.

(Policy View) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy Type selector. Select an existing policy or create a new one.

Performance Tab

Use the Performance tab of the SSL VPN Other Settings page to specify caching properties that enhance SSL VPN performance.

Navigation Path

The Performance tab appears when you open the SSL VPN Other Settings Page. You can also open it by clicking the Performance tab from any other tab on the SSL VPN Global Settings page.

Related Topics

Defining Performance Settings, page 26-47

SSL VPN Other Settings Page

Field Reference

Table 27-64 SSL VPN Other Settings > Performance Tab 

Element
Description

Enable

When selected, enables the use of cache settings for the security appliance. This check box is selected by default.

When deselected, the cache settings configured on the security appliance do not take effect and all the fields under the Performance tab are grayed out.

Minimum Object Size

The minimum size of an HTTP object that can be stored in the cache (in kilobytes) on the security appliance.

The minimum size range is 0-10,000 Kb. The default is 0 Kb.

Maximum Object Size

The maximum size (in kilobytes) of an HTTP object that can be stored in the cache on the security appliance.

The maximum size limit for an HTTP object is 10,000 kilobytes. The default is 1000 Kb.

Last Modified Factor

Specifies an integer to set a revalidation policy for caching objects that have only the last-modified timestamp, and no other server-set expiration values. The range is 1-100. The default is 20.

The Expires response from the origin web server to the security appliance request, which indicates the time that the response expires, also affects caching. This response header indicates the time that the response becomes stale and should not be sent to the client without an up-to-date check (using a conditional GET operation).

The security appliance can also calculate an expiration time for each web object before it is written to disk. The algorithm to calculate an object's cache expiration date is as follows:

Expiration date = (Today's date - Object's last modified date) * Freshness factor

After the expiration date has passed, the object is considered stale and subsequent requests causes a fresh retrieval of the content by the security appliance. Setting the last modified factor to zero is equivalent to forcing an immediate revalidation, while setting it to 100 results in the longest allowable time until revalidation.

Expiration Time

The amount of time (in minutes) that the security appliance caches objects without revalidating them. The range is 0-900 minutes. The default is one minute.

Revalidation consists of rejecting the objects from the origin server before serving the requested content to the client browser when the age of the cached object has exceeded its freshness lifetime. The age of a cached object is the time that the object has been stored in the security appliance's cache without the security appliance explicitly contacting the origin server to check if the object is still fresh.

Cache Compressed Content

When selected, enables compressed objects (zip, gz, and tar files) for SSL VPN sessions to be cached on the security appliance.

When you deselect this check box, the security appliance stores objects before it compresses them.

Cache Static Content

When selected, enables static content to be cached on the security appliance.

Each web page comprises static and dynamic objects. The security appliance caches individual static objects, such as image files (*.gif, *.jpeg), java applets (.js), and cascading style sheets (*.css), etc.


Content Rewrite Tab

Use the Content Rewrite tab of the SSL VPN Other Settings page to enable the security appliance to create rewrite rules that permit users to browse certain sites and applications without going through the security appliance itself.

Navigation Path

Open the SSL VPN Other Settings Page, then click the Content Rewrite tab.

Related Topics

Defining Content Rewrite Rules, page 26-48

SSL VPN Other Settings Page

Field Reference

Table 27-65 SSL VPN Global Settings > Content Rewrite Tab 

Element
Description

Rule Number

An integer that indicates the position of the rule in the list.

The security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches.

Rule Name

The name of the application for which the rule applies.

Resource Mask

The application or resource for the rule.

Enable

Indicates whether the content rewrite rule is enabled or not on the security appliance.

Create button

Opens a dialog box that lets you add a content rewrite rule to the list. See Add/Edit Content Rewrite Dialog Box.

Edit button

Opens a dialog box that lets you edit a selected content rewrite rule in the table. See Add/Edit Content Rewrite Dialog Box.

Delete button

Deletes one or more selected content rewrite rules from the table.


Add/Edit Content Rewrite Dialog Box

Use the Add/Edit Content Rewrite dialog box to configure the rewriting engine that includes advanced elements such as JavaScript, VBScript, Java, and multi-byte characters to proxy HTTP traffic over a SSL VPN connection.

Navigation Path

Open the Content Rewrite Tab, then click Create below the table, or select a row in the table and click Edit.

Related Topics

Defining Content Rewrite Rules, page 26-48

SSL VPN Other Settings Page

Content Rewrite Tab

Field Reference

Table 27-66 SSL VPN Other Settings > Content Rewrite Tab >Add/Edit Content Rewrite Dialog Box 

Element
Description

Enable

When selected, enables content rewriting on the security appliance for the rewrite rule.

Some applications do not require this processing, such as external public websites. For these applications, you might choose to turn off content rewriting.

Rule Number

Specifies a number for this rule. This number specifies the position of the rule in the list. Rules without a number are at the end of the list. The range is from 1 to 65534.

Rule Name

Specifies an alphanumeric string that describes the content rewrite rule. The maximum is 128 bytes.

Resource Mask

Specifies the name of the application or resource to which the rule applies.

You can use the following wildcards:

*—Matches everything. You cannot use this wildcard by itself. It must accompany an alphanumeric string.

?—Matches any single character.

[!seq]—Matches any character not in sequence.

[seq]—Matches any character in sequence.

The maximum is 300 bytes.


Encoding Tab

Use the Encoding tab of the SSL VPN Other Settings page to specify the character set to encode in SSL VPN portal pages to be delivered to remote users. By default, the encoding type set on the remote browser determines the character set for SSL VPN portal pages, so you need to set the character encoding only if it is necessary to ensure proper encoding on the browser.

Navigation Path

Open the SSL VPN Other Settings Page, then click the Encoding tab.

Related Topics

Defining Encoding Rules, page 26-50

SSL VPN Other Settings Page

Field Reference

Table 27-67 SSL VPN Other Settings > Encoding Tab 

Element
Description

Global SSL VPN Encoding Type

Select the attribute that determines the character encoding that all SSL VPN portal pages inherit, except for those portal pages delivered from the CIFS servers listed in the table.

By default, the security appliance applies the "Global SSL VPN Encoding Type" to pages from Common Internet File System servers.

You can select one of the following values:

big5

gb2312

ibm-850

iso-8859-1

shift_jis

Note If you are using Japanese Shift_jis Character encoding, click Do not specify in the Font Family area of the associated Select Page Font pane to remove the font family.

unicode

windows-1252

none

If you choose None or specify a value that the browser on the SSL VPN client does not support, it uses its own default encoding.

You can enter a string of up to 40 characters, and equal to one of the valid character sets identified in http://www.iana.org/assignments/character-sets. You can use either the name or the alias of a character set listed on that page. The string is case-insensitive. The command interpreter converts upper-case to lower-case when you save the security appliance configuration.

Common Internet File System Server

The name or IP address of each CIFS server for which the encoding requirement differs from the "Global SSL VPN Encoding Type" attribute setting.

Encoding Type

The character encoding override for the associated CIFS server.

Create button

Opens a dialog box that lets you add a CIFS server for which the encoding requirement differs from the "Global SSL VPN Encoding Type" attribute setting. See Add/Edit File Encoding Dialog Box.

Edit button

Opens a dialog box that lets you edit the settings of a selected CIFS server in the table. See Add/Edit File Encoding Dialog Box.

Delete button

Select the rows of one or more exceptions to the global encoding type attribute setting, then click to remove from the list.


Add/Edit File Encoding Dialog Box

Use the Add/Edit File Encoding dialog box to configure CIFS servers and associated character encoding, to override the value of the "Global SSL VPN Encoding Type" attribute.

Navigation Path

Open the Encoding Tab, then click Create below the table, or select a row in the table and click Edit.

Related Topics

Defining Encoding Rules, page 26-50

Field Reference

Table 27-68 SSL VPN Other Settings > Encoding Tab >Add/Edit File Encoding Dialog Box 

Element
Description

CIFS Server IP

When selected, indicates the IP address of a CIFS server for which the encoding requirement differs from the "Global SSL VPN Encoding Type" attribute setting.

CIFS servers are predefined objects. You can click Select to open the Network/Hosts Selector dialog box that lists all available network hosts, and in which you can create network host objects.

CIFS Server Host

When selected, indicates the host name of a CIFS server for which the encoding requirement differs from the "Global SSL VPN Encoding Type" attribute setting. The security appliance retains the case you specify, although it ignores the case when matching the name to a server.

Encoding Type

Select the character encoding that the CIFS server should provide for SSL VPN portal pages. This selection overrides the "Global SSL VPN Encoding Type" attribute setting.

If you choose None or specify a value that the browser on the SSL VPN client does not support, it uses its own default encoding.


Proxy Tab

Use the Proxy tab of the SSL VPN Other Settings page to configure the security appliance to terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. On this tab, you can also configure the security appliance to perform minimal content rewriting, and to specify the types of content to rewrite—external links or XML.

Navigation Path

Open the SSL VPN Other Settings Page, then click the Proxy tab.

Related Topics

Defining Proxies and Proxy Bypass Rules, page 26-51

Understanding Network/Host Objects, page 6-62

Field Reference

Table 27-69 SSL VPN Other Settings > Proxy Tab 

Element
Description

Proxy Type

Select the type of external proxy server to use for SSL VPN connections as follows:

HTTP/HTTPS Proxy—Enables you to use an external proxy server to handle HTTP or HTTPS requests and activates all the fields beneath it that specify HTTP or HTTPS server properties.

Proxy using PAC—Enables you to specify a proxy autoconfiguration (PAC) file to download from an HTTP proxy server to a browser.

HTTP/HTTPS Proxy Servers

Enable HTTP Proxy Server

Click this check box to enable the HTTP proxy server.

HTTP Proxy Server

Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list.

The IP address of the external HTTP proxy server to which the security appliance forwards HTTP connections.

HTTP proxy servers are predefined network objects. You can click Select to open the Networks/Hosts Selector dialog box from which you can make your selections, and in which you can create network host objects.

HTTP Proxy Port

Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list.

The port of the external HTTP proxy server to which the security appliance forwards HTTP connections.

You can click Select to open the Port List Selector dialog box from which you can make your selection, or create a port list object. A port list object is a named definition of one or more port ranges that you use when defining service objects.

Exception Address List

Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list.

A URL or a comma-delimited list of several URLs to exclude from those that can be sent to the HTTP proxy server. The string does not have a character limit, but the entire command cannot exceed 512 characters. You can specify literal URLs or use the following wildcards:

* to match any string, including slashes (/) and periods (.). You must accompany this wildcard with an alphanumeric string.

? to match any single character, including slashes and periods.

[x-y] to match any single character in the range of x and y, where x represents one character and y represents another character in the ANSI character set.

[!x-y] to match any single character that is not in the range.

Authentication User Name

Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list.

The username that is used as the keyword to accompany each HTTP proxy request to provide basic, proxy authentication.

Authentication Password

The password to send to the proxy server with each HTTP request.

Confirm

Confirms the password entered in the Authentication Password field. The values in the Authentication Password and Confirm fields must match before you can save these settings.

Enable HTTPS Proxy Server

Click this check box to enable the HTTPS proxy server.

HTTPS Proxy Server

Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list.

The IP address of the external HTTPS proxy server to which the security appliance forwards HTTP connections.

HTTPS proxy servers are predefined network objects. You can click Select to open the Networks/Hosts Selector dialog box from which you can make your selections, and in which you can create network host objects.

HTTPS Proxy Port

Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list.

The port of the external HTTPS proxy server to which the security appliance forwards HTTPS connections.

You can click Select to open the Port List Selector dialog box from which you can make your selection, or create a port list object.

Exception Address List

Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list.

A URL or a comma-delimited list of several URLs to exclude from those that can be sent to the HTTPS proxy server. The string does not have a character limit, but the entire command cannot exceed 512 characters. You can specify literal URLs or use the following wildcards:

* to match any string, including slashes (/) and periods (.). You must accompany this wildcard with an alphanumeric string.

? to match any single character, including slashes and periods.

[x-y] to match any single character in the range of x and y, where x represents one character and y represents another character in the ANSI character set.

[!x-y] to match any single character that is not in the range.

Authentication User Name

Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list.

The username that is used as the keyword to accompany each HTTPS proxy request to provide basic, proxy authentication.

Authentication Password

The password to send to the proxy server with each HTTPS request.

Confirm

Confirms the password entered in the Authentication Password field. The values in the Authentication Password and Confirm fields must match before you can save these settings.

Proxy using PAC

Available only if you selected Proxy using PAC from the Proxy Server list.

Specify Proxy Auto Config file URL

When selected, enables you to specify a proxy autoconfiguration (PAC) file to download to the browser. Once downloaded, the PAC file uses a JavaScript function to identify a proxy for each URL. Enter http:// and type the URL of the proxy autoconfiguration file into the adjacent field. If you omit the http:// portion, the security appliance ignores it.

This option is an alternative to specifying the IP address of the HTTP proxy server

Proxy Bypass

Specifies the ASA interface, port, and target URL configured for proxy bypass. Use the following buttons to create, edit, or delete proxy bypass settings:

Create button—Opens a dialog box that lets you add a proxy bypass rule to the table. See Add/Edit Proxy Bypass Dialog Box.

Edit button—Opens a dialog box that lets you edit the settings of a selected proxy bypass rule in the table. See Add/Edit Proxy Bypass Dialog Box.

Delete button—Deletes one or more proxy bypass rules selected in the table.


Add/Edit Proxy Bypass Dialog Box

Use the Add/Edit Proxy Bypass dialog box to set proxy bypass rules when the security appliance performs little or no content rewriting.

Navigation Path

Open the Proxy Tab, then click Create below the table, or select a row in the table and click Edit.

Related Topics

Defining Proxies and Proxy Bypass Rules, page 26-51

Understanding Interface Role Objects, page 6-55

Field Reference

Table 27-70 SSL VPN Global Settings > Proxy Tab >Add/Edit Proxy Bypass Dialog Box 

Element
Description

Interface

The interface on the security appliance that is used for proxy bypass.

You can click Select to open a dialog box from which you can select an interface from a list of interface or interface role objects.

Bypass On Port

When selected, enables you specify a port number to be used for proxy bypass. Valid port numbers are 20000-21000.

You can click Select to open the Port List Selector dialog box from which you can make your selection, or create a port list object. A port list object is a named definition of one or more port ranges that you use when defining service objects.

Note If you configure proxy bypass using ports rather than path masks, depending on your network configuration, you might need to change your firewall configuration to allow these ports access to the security appliance. Use path masks to avoid this restriction.

Bypass Matching Specify Pattern

When selected, enables you to specify a URL path to match for proxy bypass.

A path is the text in a URL that follows the domain name. For example, in the URL www.mycompany.com/hrbenefits, hrbenefits is the path.

You can use the following wildcards:

*—Matches everything. You cannot use this wildcard by itself. It must accompany an alphanumeric string.

?—Matches any single character.

[!seq]—Matches any character not in sequence.

[seq]—Matches any character in sequence.

The maximum is 128 bytes.

Note Path masks can change, so you might need to use multiple path mask statements to exhaust the possibilities.

URL

Select the http or https protocol, then enter a URL to which you want to apply proxy bypass, in the field provided.

URLs used for proxy bypass allow a maximum of 128 bytes. The port for HTTP is 80 and for HTTPS it is 443, unless you specify another port.

Rewrite XML

When selected, rewrites XML sites and applications to be bypassed by the security appliance.

Rewrite Hostname

When selected, rewrites external links to be bypassed by the security appliance.


Plug-in Tab

Clientless SSL VPN must be enabled on the security appliance to provide remote access to the plug-ins. Use the Plug-in tab of the SSL VPN Other Settings page to view the currently configured browser plug-ins, and create new plug-ins or edit the existing ones,.

Navigation Path

Open the SSL VPN Other Settings Page, then click the Plug-in tab. You can also open it by clicking the Plug-in tab from any other tab on the SSL VPN Other Settings page.

Related Topics

Understanding Plug-ins, page 26-53

Defining Browser Plug-ins, page 26-55

Understanding and Managing SSL VPN Support Files, page 26-5

Field Reference

Table 27-71 SSL VPN Other Settings > Plug-in Tab 

Element
Description

Plug-in

The type of plug-in based on the protocol service that the plug-in provides to the user. The plug-in is used in remote browsers in Clientless SSL VPN sessions.

Plug-in File

The name of the File Object that identifies the plug-in file.

Create button

Opens a dialog box that lets you add a browser plug-in. See Add/Edit Plug-in Entry Dialog Box.

Edit button

Opens a dialog box that lets you edit the settings of the selected plug-in. See Add/Edit Plug-in Entry Dialog Box.

Delete button

Select the rows of one or more browser plug-ins, then click to remove from the list.


Add/Edit Plug-in Entry Dialog Box

Use the Add/Edit Plug-in Entry dialog box to add or edit browser plug-ins to download to remote browsers in clientless SSL VPN sessions.

Navigation Path

Open the Plug-in Tab, then click Create below the table, or select a row in the table and click Edit.

Related Topics

Understanding Plug-ins, page 26-53

Defining Browser Plug-ins, page 26-55

Understanding and Managing SSL VPN Support Files, page 26-5

Field Reference

Table 27-72 SSL VPN Other Settings > Plug-in Tab > Add/Edit Plug-in Entry Dialog Box 

Element
Description

Plug-in

The type of plug-in file based on the protocol to be used for the imported plug-in in URLs launched from the SSL VPN portal. Select one of the following options from the list:

Remote Desktop (RDP)—Provides access to Remote Desktop Protocol services using the rdp-plugin.jar plug-in file.

Secure Shell (SSH), Telnet—Provides access to Secure Shell and Telnet services using the ssh-plugin.jar plug-in file.

VNC—Provides access to Virtual Network Computing services using the vnc-plugin.jar plug-in file.

Citrix (ICA)—Provides access to Citrix MetaFrame services using the ica-plugin.jar plug-in file.

Plug-in File

The File Object that identifies the plug-in file. Enter the name of the File Object or click Select to select an object. You can also create the File Object from the object selector. For more information on creating File Objects, see Add and Edit File Object Dialog Boxes, page 28-24.


SSL VPN Client Settings Tab

Use the SSL VPN Client Settings tab to specify the path of the SSL VPN client image and profile files to be downloaded to the remote PC and the size of the cache memory to be allocated for SSL VPN client and Cisco Secure Desktop (CSD) images on the device.

Navigation Path

Open the SSL VPN Other Settings Page, then click the Client Settings tab. You can also open it by clicking the Client Settings tab from any other tab on the SSL VPN Other Settings page.

Related Topics

Understanding SSL VPN Client Settings, page 26-56

Configuring SSL VPN Client Settings, page 26-57

Understanding and Managing SSL VPN Support Files, page 26-5

Field Reference

Table 27-73 SSL VPN Other Settings > Client Settings Tab 

Element
Description
AnyConnect Client Image

AnyConnect Client Image

Displays the name of the File Object that identifies the package file for an Anyconnect client image. These are images that the security appliance downloads to the remote PC.

Order

Indicates the order in the table. The security appliance downloads the image at the top of the table first. Therefore, you should move the image used by the most commonly-encountered operating system to the top.

Create button

Click to open the object selector so that you can select a package to add to the list. You can select an existing File Object or create a new one.

Edit button

Select a row of an SSL VPN client image in the table, then click to change the File Object selection or the order of the client image.

Delete button

Select the rows of one or more Anyconnect client images, then click to remove from the list.

AnyConnect Client Profile

Profile Name

Displays the name of the client profile to be downloaded to the security appliance.

AnyConnect Client Profile

Displays the name of the File Object that identifies the client profile for an Anyconnect client, which is downloaded to the security appliance.

The client profile is an XML file that the security appliance downloads to the remote PC. These profiles display host information in the AnyConnect VPN Client user interface.

Create button

Click to open the object selector so that you can select a profile to add to the list. You can select an existing File Object or create a new one.

Edit button

Select a row of an SSL VPN client profile in the table, then click to change the File Object selection or the name of the client profile.

Delete button

Select the rows of one or more Anyconnect client profiles, then click to remove from the list.

Cache File System (to hold CSD and SVC images)

Maximum Cache File System Object Size

The maximum size (in MB) of the cache on the security appliance to store SSL VPN client and CSD images.

Note The security appliance expands SSL VPN client and the CSD images in cache memory. If you receive the error message "ERROR: Unable to load SVC image - increase disk space via the `cache-fs' command", increase the size of cache memory.


Add/Edit AnyConnect Client Image Dialog Box

Use the Add/Edit AnyConnect Client Image dialog box to create or edit a package file as the client image, and establish the order that the security appliance downloads the image to the remote PC.

Navigation Path

Open the SSL VPN Client Settings Tab, then click Create below the AnyConnect Client Image table, or select a row in the table and click Edit.

Related Topics

Understanding SSL VPN Client Settings, page 26-56

Configuring SSL VPN Client Settings, page 26-57

Understanding and Managing SSL VPN Support Files, page 26-5

Field Reference

Table 27-74 SSL VPN Other Settings > Client Settings Tab > Add/Edit AnyConnect Client Image Dialog Box 

Element
Description

AnyConnect Client Image

The name of the File Object that identifies the Anyconnect client. Click Select to select an object.

You can also create the File Object from the object selector. For more information, see Add and Edit File Object Dialog Boxes, page 28-24.

Image Order

The order in which the security appliance downloads the client images to the remote PC. It downloads the image at the top of the table first. Therefore, you should enter a lower value for the image used by the most commonly-encountered operating system.

Regular Expression

Regular expression for the AnyConnect image. Enter a name of an existing regular expression or click Select to select or create a new one.


Add/Edit AnyConnect Client Profile Dialog Box

Use the Add/Edit AnyConnect Client Profile dialog box to create a new profile or edit the path of an existing one. These profiles display host information in the AnyConnect VPN Client user interface. After creating a profile, it is loaded on the security appliance from Security Manager and you must configure the security appliance to download it to remote client PCs.

Navigation Path

Open the SSL VPN Client Settings Tab, then click Create below the AnyConnect Client Profile table, or select a row in the table and click Edit.

Related Topics

Understanding SSL VPN Client Settings, page 26-56

Configuring SSL VPN Client Settings, page 26-57

Understanding and Managing SSL VPN Support Files, page 26-5

Field Reference

Table 27-75 SSL VPN Other Settings > Client Settings Tab > Add/Edit AnyConnect Client Profile Dialog Box 

Element
Description

AnyConnect Profile Name

The name of the Anyconnect client profile to be downloaded to the security appliance.

AnyConnect Client Profile

The name of the File Object that identifies the Anyconnect client profile XML file. Click Select to select an object.

You can also create the File Object from the object selector. For more information, see Add and Edit File Object Dialog Boxes, page 28-24.


Advanced Tab

The Advanced tab lets you configure the memory, on-screen keyboard, and internal password features on ASA devices.

Navigation Path

Open the SSL VPN Other Settings Page, then click the Advanced tab.

Related Topics

Defining Advanced Settings, page 26-58

Field Reference

Table 27-76 SSL VPN Other Settings > Advanced Tab 

Element
Description

Memory Size

Specify the amount of memory you want to allocate to SSL VPN sessions as follows:

% of Total Physical Memory—As a percentage of total memory. Default is 50%.

Kilobytes—In kilobytes. 20KB is the minimum setting allowed. Cisco recommends that you do not specify memory in terms of KB because different ASA models have different total amounts of memory, for example:

ASA 5510 has 256 MB

ASA5520 has 512 MB

ASA 5540 has 1GB

Note When you change the memory size, the new setting takes effect only after the system reboots.

Enable On-screen Keyboard

Select one of the following options:

Disabled—The on-screen keyboard is not displayed. Users must input their credentials using the standard keyboard.

On All Pages—Allows a user to input credentials using an on-screen keyboard, which is displayed whenever logon credentials are required.

On Logon Page Only—Allows a user to input credentials using an on-screen keyboard, which is displayed on the logon page.

Allow Users to Enter Internal Password

Click the checkbox to enable the feature. When enabled, an additional password is required when accessing internal sites. This feature is useful if you require that the internal password be different from the SSL VPN password. For example, you can use a one-time password for authentication to ASA and another password for internal sites.


SSL VPN Shared License (ASA 8.2) Page

Use the SSL VPN Shared License page to configure your SSL VPN Shared License.

Navigation Path

(Device View) Select an ASA device using version 8.2 or higher, and select Remote Access VPN > SSL VPN > Shared License from the Policy selector.

(Policy View) Select Remote Access VPN > SSL VPN > Shared License (ASA 8.2+) from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

Understanding SSL VPN Shared Licenses (ASA), page 26-58

Configuring an ASA Device as a Shared License Client, page 26-59

Configuring an ASA Device as a Shared License Server, page 26-59

Field Reference

Table 27-77 SSL VPN Shared License Page 

Element
Description

Select Role

Role you are configuring, either Shared License Client or Shared License Server. Depending on your choice, different fields appear.

Shared License Client

Shared Secret

Case-sensitive string (4-128 characters) used for communicating with the shared license server.

License Server

Hostname of the ASA device configured as the license server.

License Server Port

Number of the TCP port on which the license server communicates.

Select Backup Role of Client

Role of the client:

Client Only—When selected, the client acts only as the client. In this case, you must specify another device as a backup server.

Backup Server—When selected, the client also acts as the backup server. In this case, you must also specify the interfaces to be used for this purpose.

Shared License Server

Shared Secret

Case-sensitive string (4-128 characters) used for communicating with the shared license server.

License Server

Hostname of the ASA device configured as the license server.

License Server Port

Number of the TCP port on which the license server communicates.

Refresh Interval

Value between 10-300 seconds. Default is 30 seconds.

Interfaces

Interfaces used for communicating shared licenses to clients.

Configure Backup shared SSL VPN License Server

Click this check box to configure a backup server for the shared license server, then configure the following:

Backup License Server—Server to act as a backup license server if the current one is unavailable.

Backup Server Serial Number—Serial number of the backup license server.

HA Peer Serial Number—(Optional) Serial number of the backup server of a failover pair.


SSL VPN Policy Page (IOS)

Use this page to configure the SSL VPN connection policies for an IOS router. From this page, you can create, edit, or delete SSL VPN policies.

The table lists all of the contexts that define the virtual configurations of the SSL VPN. Each context has a gateway, domain or virtual hostname, and user group policies. The status of the context is also shown, either In Service or Out of Service.

To add a context, click the Add Row button to open the SSL VPN Context Editor Dialog Box (IOS).

To edit a context, select it and click the Edit Row button.

To delete a context, select it and click the Delete Row button.

Navigation Path

(Device View) Select an IOS device and select Remote Access VPN > SSL VPN from the Policy selector.

(Policy View) Select Remote Access VPN > SSL VPN > SSL VPN Policy (IOS) from the Policy Type selector. Select an existing policy or create a new one.

Related Topics

Configuring an SSL VPN Policy (IOS), page 26-60

Filtering Tables, page 1-33

SSL VPN Context Editor Dialog Box (IOS)

Use this dialog box to create or modify a context that defines the virtual configuration of an SSL VPN. For more information, see Configuring an SSL VPN Policy (IOS), page 26-60.

Navigation Path

Open the SSL VPN Policy Page (IOS), then click Create, or select a policy in the table and click Edit.

Field Reference

Table 27-78 SSL VPN Context Editor Dialog Box 

Element
Description

General tab

Defines the general settings required for an SSL VPN policy. General settings include specifying the gateway, domain, AAA servers for accounting and authentication, and user groups. For a description of the fields on this tab, see General Tab.

Portal Page tab

Defines the design of the login page for the SSL VPN policy. The display box at the bottom of the tab changes to show you how your selections will look. You can configure:

Title—The text displayed at the top of the page. Control the color using the Primary settings in the Title Color and Text Color fields.

Logo—The graphic displayed next to the title. Select None, Default, or Custom. To configure a custom graphic, you must copy the desired graphic to the Security Manager server, then click Browse to select the file. Supported graphic types are GIF, JPG, and PNG, with a maximum size of 100 KB.

Login Message—The text displayed immediately above the login prompt. Control the color using the Secondary settings in the Title Color and Text Color fields.

Secure Desktop tab

Configures the Cisco Secure Desktop (CSD) software on the router. CSD policies define entry requirements for client systems and provide a single, secure location for session activity and removal on the client system, ensuring that sensitive data is shared only for the duration of an SSL VPN session.

Note You must install and activate the Secure Desktop Client software on a device for your configuration to work.

If you want to use CSD, select Enable Cisco Secure Desktop and click Select to select a Secure Desktop Configuration policy object, which defines the rules you want to use to control VPN access and host scanning. You can create a new object from the selection list. For information about configuring these objects, see Creating Cisco Secure Desktop Configuration Objects, page 26-61.

Advanced tab

Configures these additional settings:

Maximum Number of Users—The maximum number of SSL VPN user sessions allowed at one time, from 1-1000.

VRF Name—If Virtual Routing Forwarding (VRF) is configured on the device, the name of the VRF instance that is associated with the SSL VPN context. For information about VRF, see Understanding VRF-Aware IPsec, page 21-13.


General Tab

Use the General tab of the SSL VPN Context Editor dialog box to define or edit the general settings required for an SSL VPN policy. General settings include specifying the gateway, domain, AAA servers for accounting and authentication, and user groups.

Navigation Path

Open the SSL VPN Context Editor Dialog Box (IOS), then click the General tab.

Related Topics

Configuring an SSL VPN Policy (IOS), page 26-60

Add or Edit SSL VPN Gateway Dialog Box, page 28-63

Understanding AAA Server and Server Group Objects, page 6-20

Field Reference

Table 27-79 SSL VPN Context Editor General Tab (IOS) 

Element
Description

Enable SSL VPN

Whether to activate the SSL VPN connection, putting it "In Service".

Name

The name of the context that defines the virtual configuration of the SSL VPN.

Note To simplify the management of multiple context configurations, make the context name the same as the domain or virtual hostname.

Gateway

The name of the SSL VPN gateway policy object that defines the characteristics of the gateway to which users connect when entering the VPN. A gateway object provides the interface and port configuration for an SSL VPN connection.

Enter the name of the object or click Select to select it from a list or to create a new object.

Domain

The domain or virtual hostname of the SSL VPN connection.

Portal Page URL

The URL for the SSL VPN, which is filled in when you select a gateway object. Users connect to this URL to enter the VPN.

Authentication Server Group

The authentication server groups. The list is in prioritized order. Authentication is attempted using the first group and proceeds through the list until the user is successfully authenticated or denied. Use the LOCAL group if the users are defined on the gateway itself.

Enter the names of the AAA server groups; separate multiple entries with commas. You can click Select to select the groups or to create new ones.

Authentication Domain

A list or method for SSL VPN remote user authentication. If you do not specify a list or method, the gateway uses global AAA parameters for remote-user authentication.

Accounting Server Group

The accounting server group. Enter the name of the AAA server group policy object, or click Select to select it from a list or to create a new object.

User Groups

The user groups that will be used in your SSL VPN policy. User groups define the resources available to users when connecting to an SSL VPN gateway. The table shows whether full client, CIFS file access, and thin client is enabled for the group.

To add a user group, click Add Row to open a list of existing user group policy objects from which you can select the group. If the desired group does not already exist, click the Create button below the available groups list and create it. For more information about user group objects, see Add or Edit User Group Dialog Box, page 28-68.

To edit a user group, select it and click the Edit Row button.

To delete a user group, select it and click the Delete Row button. This deletes the group only from the policy, it does not delete the user group policy object.