User Guide for Cisco Security Manager 3.0.2 - Managing Remote Access VPNs [Cisco Security Manager]

Table Of Contents

Managing Remote Access VPNs

Working with Policies in Remote Access VPNs

Using the Remote Access VPN Server Wizard

Understanding User Group Policies in Remote Access VPNs

Configuring User Group Policies

Understanding Tunnel Group Policies in Remote Access VPNs

Configuring Tunnel Group Policies

Understanding IPSec Proposals in Remote Access VPNs

Configuring an IPSec Proposal on a Remote Access VPN Server

Understanding IKE Proposals in Remote Access VPNs

Configuring IKE Proposals on a Remote Access VPN Server

Understanding Cluster Load Balancing

Configuring a Cluster Load Balance Policy

Public Key Infrastructure Policies in Remote Access VPNs

Configuring a PKI Policy in a Remote Access VPN

Configuring VPN Global Settings in Remote Access VPNs

Defining Global Settings in a Remote Access VPN

Understanding DN Matching Policies

Configuring a DN Matching Policy

Understanding DN Matching Rules

Configuring a DN Matching Rules Policy

Managing Shared Remote Access VPN Policies in Policy View

Managing Remote Access VPNs

A Virtual Private Network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Remote access VPNs use tunnels to encapsulate data packets within normal IP packets for forwarding over IP-based networks, using encryption to ensure privacy and authentication to ensure integrity of data.

Remote access VPNs permit secure, encrypted connections between a company's private network and remote users, by establishing an encrypted IPSec tunnel across the Internet using broadband cable, DSL, or Internet Service Provider (ISP) dial connection.

A remote access VPN comprises a VPN client and a VPN headend device, or VPN gateway. The VPN client software resides on the user's workstation and that client initiates the VPN tunnel to access the corporate network. At the other end of the VPN tunnel is the VPN gateway at the edge of the corporate site.

When a VPN client initiates a connection with the VPN gateway device, the negotiation consists of device authentication through Internet Key Exchange (IKE), followed by user authentication using IKE Extended Authentication (Xauth). Then the group profile is pushed to the VPN client using Mode Configuration, and an IPSec security association (SA) is created to complete the VPN connection.

For remote access VPNs, AAA (authentication, authorization, and accounting) is used for more secure access. With user authentication, a valid username and password must be entered before the connection is completed. Usernames and passwords can be stored on the VPN device itself, or on an external AAA server, which can provide authentication to numerous other databases. For more information on using AAA servers, see Working with AAA Server Objects, page 8-19.

Note You can configure remote access VPN policies in site-to-site VPN topologies, using Easy VPN technology. In site-to-site Easy VPN topologies, security policies are configured on hardware clients, such as routers, whereas, in remote access VPNs, policies are configured on PCs running Cisco VPN client software. For more information, see Configuring Easy VPN Policies, page 9-104.

Related Topics

•Working with Policies in Remote Access VPNs

Working with Policies in Remote Access VPNs

A remote access VPN policy defines the IPSec parameters that the VPN client and VPN gateway use to create the VPN tunnel. In some cases, several policy types may be required to define a full configuration image that can be assigned to devices. Other remote access VPN policies can be assigned individually to devices.

You can set up and configure a remote access VPN on Cisco IOS routers, PIX Firewalls, Catalyst 6500/7600 devices, and Adaptive Security Appliance (ASA) devices.

In Device view, you can view and configure remote access VPN policies for devices. To access Device view, select View > Device View or click the Device View button in the toolbar. You can right-click a policy in the Policies selector to display menu options that enable you to share the policy, assign the shared policy to, or unassign it from the selected device. For more information, see Performing Basic Policy Management, page 6-16.

Note You must have read-write permissions to modify a remote access VPN policy. For more information, see Modify Policies Permissions, page 2-8.

Tip You can also view all shared policies for each policy type in a remote access VPN, edit policies, and modify their assignments to devices, in Policy view. See Managing Shared Remote Access VPN Policies in Policy View.

The following topics provide information about the policies you can configure on a remote access VPN, from the Security Manager Device view:

•Using the Remote Access VPN Server Wizard

•Understanding User Group Policies in Remote Access VPNs

•Understanding Tunnel Group Policies in Remote Access VPNs

•Understanding IPSec Proposals in Remote Access VPNs

•Understanding IKE Proposals in Remote Access VPNs

•Understanding Cluster Load Balancing

•Public Key Infrastructure Policies in Remote Access VPNs

•Configuring VPN Global Settings in Remote Access VPNs

•Understanding DN Matching Policies

•Understanding DN Matching Rules

Related Topics

•Remote Access VPN Policies, page C-822

Using the Remote Access VPN Server Wizard

The Remote Access VPN Server wizard enables you to configure your device as a remote access VPN server, to serve as a VPN gateway for remote end users.

The wizard includes mandatory steps that you must do to configure policies that enable your device to act as a remote access VPN server. Mandatory policies include user group policies (or tunnel group policies for ASA devices and PIX Firewalls version 7.0), IPSec proposals, and IKE proposals. The wizard provides default values for IPSec and IKE proposals. Once configured, specific security parameters defined in these policies are pushed to the client by the server, minimizing configuration by the end user.

Note You must have read-write permissions to modify the policies in the Remote Access VPN Server wizard. If you are not authorized to modify one of the three mandatory policies, you cannot launch the wizard. For more information, see Modify Policies Permissions, page 2-8.

To access the Remote Access VPN Server wizard:

1. Select View > Device View or click the Device View button in the toolbar.

2. From the Device Selector, select the device you want to configure as your remote access server.

3. Select Remote Access VPN > RA VPN Server Wizard from the Device Policies selector.

4. Click Remote Access VPN Server Wizard.

Tip•You can also configure mandatory policies on your device individually from the Remote Access VPN Policies folder, together with other optional remote access VPN policies.

•You must have read-write permissions to modify a policy in the Remote Access VPN Policies folder, otherwise you will be unable to save any modifications.

The following topics describe how to configure mandatory policies using either the Remote Access VPN wizard, or individually from the Remote Access VPN Policies folder:

•Configuring User Group Policies

•Configuring Tunnel Group Policies

•Configuring an IPSec Proposal on a Remote Access VPN Server

•Configuring IKE Proposals on a Remote Access VPN Server

Understanding User Group Policies in Remote Access VPNs

When you configure a remote access VPN server, you can create user groups to which remote clients belong. A user group policy specifies the attributes that determine user access to, and use of the VPN. User groups simplify system management, enabling you to quickly configure VPN access for large numbers of users.

For example, in a typical remote access VPN, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. User group policies provide the flexibility to do so securely.

Remote clients must have the same group name as the user group configured on the VPN server so they can connect to the device, otherwise a connection cannot be established. When a remote client establishes a connection to the VPN server, the group policies for that particular user group are pushed to all clients belonging to the same user group.

You can configure user groups on the local remote access VPN server and external AAA servers.

On the User Group Policy page, you can specify the user groups you want to assign to your remote access VPN server. You can create and edit user group policies. You can open the User Group Policy page from the Remote Access VPN Server wizard or from the Remote Access VPN Policies folder.

Note You can define user group policies on Cisco IOS routers, PIX Firewalls, and Catalyst VPN Service Modules.

Related Topics

•Configuring User Group Policies

•User Group Objects Page, page C-187

Configuring User Group Policies

This procedure describes how to specify the user groups you want to assign to your remote access VPN server.

Before You Begin

•In Device view (View > Device View), select the required device (Cisco IOS security router, PIX Firewall, or Catalyst 6500/7600).

Procedure

Step 1 Open the User Group Policy page.

a. From the wizard:

–Select View > Device View > Remote Access VPN > RA VPN Server Wizard.

–Click Remote Access VPN Server Wizard.

b. From the Remote Access VPN Policies folder:

–Select View > Device View > Remote Access VPN > RA VPN Policies > User Group Policy, from the Device Policies selector.

Step 2 On the User Group Policy page, select the required user groups from the Available User Groups list, and click >>. For a description of the elements on this page, see Table C-453 on page C-825.

User groups are objects. If the required user group is not included in the list, click Create to open the User Groups Editor dialog box that enables you to create or edit a user group object. For more information, see Working with User Group Objects, page 8-237.

Step 3 If you opened the User Group Policy page from the wizard, click Next to advance to the next step of the wizard. See Configuring an IPSec Proposal on a Remote Access VPN Server.

If you opened the User Group Policy page from the Remote Access VPN Policies folder, click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Related Topics

•Using the Remote Access VPN Server Wizard

•Understanding User Group Policies in Remote Access VPNs

•Managing Shared Remote Access VPN Policies in Policy View

•Working with User Group Objects, page 8-237

•User Group Policy Page, page C-824

Understanding Tunnel Group Policies in Remote Access VPNs

A tunnel group consists of a set of records that contain VPN tunnel connection policies, including the attributes that pertain to creating the tunnel itself.

Tunnel groups identify the group policy for a specific connection, which includes user-oriented attributes. If you do not assign a particular tunnel group policy to a user, the default group policy for the connection applies.

You can create one or more tunnel groups specific to your environment. Tunnel groups may be configured on the local remote access VPN server or on external AAA servers.

On the Tunnel Group Policy page, you can view the tunnel group policies defined on your remote access VPN server. You can create and edit tunnel group policies. You can open the Tunnel Group Policy page from the Remote Access VPN Server wizard or from the Remote Access VPN Policies folder.

Note You can configure tunnel group policies only on PIX Firewalls version 7.0, or ASA devices.

Related Topics

•Configuring Tunnel Group Policies

•Tunnel Group Policy Page, page C-826

Configuring Tunnel Group Policies

This procedure describes how to create or edit tunnel group policies on your remote access VPN server.

Before You Begin

•In Device view (View > Device View), select the required device (PIX 7.0 or ASA device).

Procedure

Step 1 Open the Tunnel Group Policy page.

a. From the wizard:

–Select View > Device View > Remote Access VPN > RA VPN Server Wizard.

–Click Remote Access VPN Server Wizard.

b. From the Remote Access VPN Policies folder:

–Select View > Device View > Remote Access VPN > RA VPN Policies > Tunnel Group Policy (PIX 7.0/ASA), from the Device Policies selector.

Step 2 Click Create in the Tunnel Group Policy page, or select a device in the table on the Tunnel Group Policy page and click Edit. The Tunnel Group Editor dialog box opens, displaying the General tab. For a description of the elements on the Tunnel Group Policy page, See Table C-454 on page C-827.

Step 3 On the General tab, specify the global AAA settings for your tunnel group and select the method (or methods) of address assignment to use. For a description of the elements on the General tab, see Table C-455 on page C-829.

Step 4 Click the IPSec tab to specify IPSec and IKE parameters for the tunnel group policy. For a description of the elements on the IPSec tab, see Table C-456 on page C-832.

Step 5 Click the Advanced tab to specify interface-specific information for your tunnel group policy. For a description of the elements on the Advanced tab, see Table C-457 on page C-835.

Step 6 Click the Client VPN Software Update tab to view and edit the client type, VPN Client revisions, and image URL for each client VPN software package installed. For a description of the elements on the Client VPN Software Update tab, see Table C-458 on page C-837.

Step 7 When you have finished creating or editing your tunnel group policy, click OK to save your changes locally on the client and close the Tunnel Group Policy Editor dialog box.

Step 8 If you opened the Tunnel Group Policy page from the wizard, click Next to advance to the next step of the wizard. See Configuring an IPSec Proposal on a Remote Access VPN Server.

If you opened the Tunnel Group Policy page from the Remote Access VPN Policies folder, click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Related Topics

•Managing Shared Remote Access VPN Policies in Policy View

•Understanding Tunnel Group Policies in Remote Access VPNs

•Tunnel Group Policy Page, page C-826

Understanding IPSec Proposals in Remote Access VPNs

An IPSec proposal is a collection of one or more crypto maps. A crypto map combines all the components required to set up IPSec security associations (SAs), including IPSec rules, transform sets, remote peer(s), and other parameters that might be necessary to define an IPSec SA.

When configuring an IPSec proposal, you must specify the external interface through which the remote access clients will connect to the server, and the encryption and authentication algorithms used to protect the data in the VPN tunnel. You can also select a Group Authorization (Group Policy Lookup) method that defines the order in which the group policies are searched (on the local server or on external AAA servers), and select a user authentication (Xauth) method that defines the order in which user accounts are searched.

For more information on IPSec tunnel concepts, see Understanding IPSec Tunnel Policies, page 9-64.

For information about user accounts, see Defining Device Access Policies, page 12-26.

On the IPSec Proposal page, you can view the default IPSec proposal that is available for assignment to your remote access VPN. From this page, you can create a new IPSec proposal or edit the default one.

Note You can open the IPSec Proposal page from the Remote Access VPN Server wizard or from the Remote Access VPN Policies folder.

Related Topics

•Configuring an IPSec Proposal on a Remote Access VPN Server

•IPSec Proposal Page, page C-837

Configuring an IPSec Proposal on a Remote Access VPN Server

This procedure describes how to create or edit an IPSec Proposal for your remote access VPN server.

Before You Begin

•In Device view (View > Device View), select the device on which you want to configure the IPSec proposal.

Procedure

Step 1 Open the IPSec Proposal page.

a. From the wizard:

–Select View > Device View > Remote Access VPN > RA VPN Server Wizard.

–Click Remote Access VPN Server Wizard.

–Click Next in the User Group/Tunnel Group Policy page.

b. From the Remote Access VPN Policies folder:

–Select View > Device View > Remote Access VPN > RA VPN Policies > IPSec Proposal, from the Device Policies selector.

For a description of the elements on the IPSec Proposal page, see Table C-459 on page C-838.

Step 2 Click Create on the IPSec Proposal page, or select a row in the table on the IPSec Proposal page and click Edit. The IPSec Proposal Editor dialog box opens.

Note The elements in IPSec Proposal Editor dialog box differ depending on the selected device.

Step 3 If the selected device is a PIX 7.0 or an ASA device:

a. Select the external interface through which remote access clients will connect to the server.

b. Select the transform set(s) to be used for your tunnel policy.

c. If required, enable Reverse Route Injection (RRI) to ensure that a static route is created on an ASA device, for each assigned address to the client.

d. If required, enable the configuration of Network Address Translation Traversal (NAT-T) on an ASA device. See About NAT Traversal, page 9-72.

e. For a PIX device, specify the AAA or Xauth user authentication method used to define the order in which user accounts are searched.

f. Click OK to save your changes locally on the client and close the dialog box. The changes appear in the table of the IPSec Proposal page.

For a description of the elements on the IPSec Proposal Editor dialog box, see Table C-460 on page C-841.

Step 4 If the selected device is a Cisco IOS router or Catalyst 6500/7600, the IPSec Proposal Editor dialog box opens displaying the General tab.

Note The IPSec Proposal Editor dialog box displays two tabs—General and VRF Aware IPSec. If the selected device is a Catalyst 6500/7600, the FWSM Settings tab is also displayed.

a. In the General tab (for a description of the elements in the General tab, see Table C-461 on page C-844):

–Specify the external interface through which remote access clients will connect to the server.

Note Important: If the selected device is a Catalyst 6500/7600, specify the inside VLAN which serves as the inside interface to the VPN Services Module or VPN SPA. Click Select to open a dialog box in which you must define the settings that enable you to configure a VPN Services Module (VPNSM) or VPN SPA. For a description of the elements in the VPNSM/VPN SPA Settings dialog box, see Table C-462 on page C-848.

For information about configuring a VPNSM, see Configuring a Catalyst VPN Services Module (VPNSM) VPN Interface, page 9-31.

For information about configuring a VPN SPA, see Configuring a Catalyst VPN Shared Port Adapter (VPN SPA) Blade, page 9-33.

–Select the transform set(s) to be used for your tunnel policy.

–If required, enable Reverse Route Injection (RRI) to ensure that a static route is created on the device for each assigned address to the client.

–Select an AAA authorization method list that will be used to define the order in which the group policies are searched. Group policies can be configured on both the local server or on an external AAA server.

–Select the AAA or Xauth user authentication method that will be used to define the order in which user accounts are searched.

b. If the selected device is a Catalyst 6500/7600, click the FWSM tab and specify the settings that enable you to connect between a Firewall Services Module (FWSM) and an IPSec VPN Services Module (VPNSM blade) or VPN SPA blade that is already configured on a Catalyst 6500/7600 device. For a description of the elements in the FWSM Settings tab, see Table C-463 on page C-850.

For more information, see Configuring a Firewall Services Module (FWSM) Interface with VPNSM or VPN SPA, page 9-38.

c. Click the VRF Aware IPSec tab to configure VRF Aware IPSec settings on the device. For a description of the elements on this tab, see Table C-464 on page C-852.

For more information, see Understanding VRF-Aware IPSec, page 9-42.

Step 5 When you have finished creating or editing your IPSec proposal, click OK to save your changes locally on the client, and close the IPSec Proposal Editor dialog box.

The changes appear in the table of the IPSec Proposal page.

Step 6 If you opened the IPSec Proposal page from the wizard, click Next to advance to the next step of the wizard. See Configuring IKE Proposals on a Remote Access VPN Server.

If you opened the IPSec Proposal page from the Remote Access VPN Policies folder, click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Related Topics

•Managing Shared Remote Access VPN Policies in Policy View

•Understanding IPSec Proposals in Remote Access VPNs

•IPSec Proposal Page, page C-837

•IPSec Proposal Editor Dialog Box (for PIX and ASA Devices), page C-840

•IPSec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page C-843

•VPNSM/VPN SPA Settings Dialog Box, page C-846

•FWSM Settings Tab (IPSec Proposal Editor), page C-849

•VRF Aware IPSec Tab (IPSec Proposal Editor), page C-851

•Understanding IPSec Tunnel Policies, page 9-64

Understanding IKE Proposals in Remote Access VPNs

Internet Key Exchange (IKE), also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPSec security association. To configure your device for remote access VPNs, you need to specify the encryption algorithm, authentication algorithm, and key exchange method that is used by the device when negotiating a VPN connection with the remote clients.

An IKE proposal is a set of algorithms that two peers use to secure the IKE negotiation between them. IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. You can create multiple, prioritized policies at each peer to ensure that at least one policy will match a remote peer's policy.

For more information on IKE concepts, see Understanding IKE, page 9-59.

On the IKE Proposal page, you can specify the IKE proposals you want to assign to your remote access VPN server. You can create and edit IKE proposals. You can open the IKE Proposal page from the Remote Access VPN Server wizard or from the Remote Access VPN Policies folder.

Related Topics

•Configuring IKE Proposals on a Remote Access VPN Server

•IKE Proposal Page, page C-855

Configuring IKE Proposals on a Remote Access VPN Server

This procedure describes how to specify the IKE proposals you want to assign to your remote access VPN server.

Before You Begin

•In Device view (View > Device View), select the required device.

Procedure

Step 1 Open the IKE Proposal page.

a. From the wizard:

–Select View > Device View > Remote Access VPN > RA VPN Server Wizard.

–Click Remote Access VPN Server Wizard.

–Click Next on the IPSec Proposal page.

b. From the Remote Access VPN Policies folder:

–Select View > Device View > Remote Access VPN > RA VPN Policies > IKE Proposal, from the Device Policies selector.

Step 2 On the IKE Proposal page, select the required IKE proposals from the Available IKE Proposals list, and click >>. For a description of the elements on this page, see Table C-465 on page C-856.

IKE proposals are objects. If the required IKE proposal is not included in the list, click Create to open the IKE Editor dialog box that enables you to create or edit an IKE proposal object. For more information, see IKE Proposal Dialog Box, page C-123.

Step 3 If you opened the IKE Proposal page from the wizard, click Finish to save your definitions and close the wizard.

If you opened the IKE Proposal page from the Remote Access VPN Policies folder, click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Related Topics

•Managing Shared Remote Access VPN Policies in Policy View

•Understanding IKE Proposals in Remote Access VPNs

•IKE Proposal Page, page C-855

•Configuring an IKE Proposal, page 9-63

Understanding Cluster Load Balancing

In a remote client configuration in which you are using two or more devices connected to the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus distributing the load among all devices. Load balancing is effective only on remote sessions initiated with an ASA device.

To implement load balancing, you must group two or more devices on the same private LAN-to-LAN network into a virtual cluster. All devices in the virtual cluster carry session loads. One device in the virtual cluster, the virtual cluster master, directs incoming calls to the other devices, called secondary devices. The virtual cluster master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly.

The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not tied to a specific physical device—it belongs to the current virtual cluster master. A VPN client attempting to establish a connection connects first to this virtual cluster IP address. The virtual cluster master then sends back to the client the public IP address of the least-loaded available host in the cluster. In a second transaction (transparent to the user), the client connects directly to that host. In this way, the virtual cluster master directs traffic evenly and efficiently across resources.

The role of virtual cluster master is not tied to a physical device—it can shift among devices. If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster master then directs these connections to another active device in the cluster. Should the virtual cluster master itself fail, a secondary device in the cluster immediately takes over as the new virtual session master. Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is available.

The Cluster Load Balance page enables you to configure load balancing on your VPN device. You must explicitly enable load balancing, as it is disabled by default. All devices that participate in a cluster must share the same cluster-specific values: IP address, encryption settings, encryption key, and port.

Related Topics

•Configuring a Cluster Load Balance Policy

•ASA Cluster Load Balance Page, page C-867

Configuring a Cluster Load Balance Policy

Note You can configure a Cluster Load Balance policy only on an ASA device.

Before You Begin

•In Device view (View > Device View), select the required ASA device.

Procedure

Step 1 In Device view, select Remote Access VPN > RA VPN Policies > ASA Cluster Load Balance from the Device Policies selector. The ASA Cluster Load Balance page opens. For a description of the elements on this page, see Table C-470 on page C-868.

Step 2 Select the Participating in Load Balancing Cluster check box to specify the device belongs to the load-balancing cluster.

Step 3 Specify the single IP address that represents the entire virtual cluster. Choose an IP address that is in the same subnet as the external interface.

Step 4 Specify the UDP port for the virtual cluster to which the device belongs. If another application is using this port, enter the UDP destination port number you want to use for load balancing. The default is 9023.

Step 5 If required, select Enable IPSec Encryption to ensure that all load-balancing information communicated between the devices is encrypted.

Step 6 If you selected the Enable IPSec Encryption check box, you must specify an IPSec Shared Secret password. The security appliances in the virtual cluster communicate via LAN-to-LAN tunnels using IPSec. This password must match the passwords passed on by the client.

Step 7 In the Priority area, select one of the following options:

•Accept default device value—To accept the default priority value assigned to the device.

•Configure same priority on all devices in the cluster—To configure the same priority value to all the devices in the cluster. Then enter the priority number (between 1-10) to indicate the likelihood of the device becoming the virtual cluster master, either at start-up or when the existing master fails.

Step 8 Specify the public and private interfaces to be used on the server.

Note Interfaces are objects. You can click Select to open a dialog box that lists all available interface roles and interfaces, and in which you can create interface role objects. For more information, see Working with Interface Role Objects, page 8-120.

Step 9 Click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Related Topics

•Managing Shared Remote Access VPN Policies in Policy View

•Understanding Cluster Load Balancing

•ASA Cluster Load Balance Page, page C-867

Public Key Infrastructure Policies in Remote Access VPNs

Security Manager supports IPSec configuration with Certification Authority (CA) servers, also known as trustpoints, that manage Public Key Infrastructure (PKI) certificate requests and issue certificates to the devices in a remote access VPN. You can create a Public Key Infrastructure (PKI) policy to generate PKI enrollment requests for PKI certificates and RSA keys, and manage keys and certificates. These services provide centralized key management for the participating devices.

For more information, see Understanding Public Key Infrastructure Policies, page 9-79.

In Security Manager, CA servers are defined as PKI enrollment objects that you can use in your PKI policies. A PKI enrollment object contains the server information and enrollment parameters that are required for creating enrollment requests for CA certificates. For more information, see Working with PKI Enrollment Objects, page 8-153.

Note In remote access VPNs, digital certificates are used for user authentication. When creating or editing a PKI enrollment object, you must configure each remote component (spoke) with the name of the user group to which it connects. Remote clients should also be configured to use digital certificates for user authentication during IKE negotiations, by specifying the user group name when configuring ISAKMP settings (see Defining Global Settings in a Remote Access VPN).

Related Topics

•Configuring a PKI Policy in a Remote Access VPN

•Public Key Infrastructure Page, page C-857

Configuring a PKI Policy in a Remote Access VPN

This procedure describes how to specify the CA server(s) that will be used to create a Public Key Infrastructure (PKI) policy in your remote access VPN.

Before You Begin

•In Device view (View > Device View), select the device on which you are configuring PKI.

•Make sure the selected device has IOS version 12.3(7)T or later.

•Please read Prerequisites for Successful PKI Enrollment, page 9-82.

Procedure

Step 1 In Device view, select Remote Access VPN > RA VPN Policies > Public Key Infrastructure from the Device Policies selector. The Public Key Infrastructure page opens. For a description of the elements on this page, see Table C-466 on page C-858.

Step 2 Select the required CA server(s) from the Available CA Servers list and click >>.

If the required CA server is not included in the list, click Create to open a dialog box that enables you to create or edit a PKI enrollment object. For more information, see PKI Enrollment Dialog Box, page C-140.

Note When creating or editing a PKI enrollment object, make sure you configure each remote component (spoke) with the name of the user group to which it connects. You specify this information in the Organization Unit (OU) field in the Certificate Subject Name tab of the PKI Enrollment Editor dialog box. In addition, the certificate issued to the client should have OU as the name of the user group. For more information, see Defining Additional PKI Attributes, page 8-162.

Step 3 Click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Note To save the RSA key pairs and the CA certificates between reloads permanently to Flash memory on a PIX firewall version 6.3, you must configure the "ca save all" command. You can do this manually on the device or using a FlexConfig (see Working with FlexConfigs, page 16-40).

Related Topics

•Managing Shared Remote Access VPN Policies in Policy View

•Public Key Infrastructure Policies in Remote Access VPNs

•Understanding Public Key Infrastructure Policies, page 9-79

•Prerequisites for Successful PKI Enrollment, page 9-82

•Public Key Infrastructure Page, page C-857

•Working with PKI Enrollment Objects, page 8-153

Configuring VPN Global Settings in Remote Access VPNs

On the VPN Global Settings page, you can define global settings for IKE, IPSec, NAT, and fragmentation, that apply to devices in your remote access VPN.

A full description of VPN global settings is provided in Understanding VPN Global Settings, page 9-70.

Global VPN settings comprise:

•ISAKMP/IPSec settings that enable you to configure ISAKMP (IKE) and IPSec parameters that allow peers to negotiate in establishing a VPN tunnel in a remote access VPN. For more information, see Understanding ISAKMP/IPSec Settings, page 9-70.

•Network Address Translation (NAT) settings enable devices that use internal IP addresses to send and receive data through the Internet. For more information, see Understanding NAT, page 9-71.

•General Settings, including fragmentation settings and the maximum transmission unit (MTU) handling parameters that you can configure on the devices in your remote access VPN. For more information, see Understanding Fragmentation, page 9-73.

.Related Topics

•Defining Global Settings in a Remote Access VPN

•VPN Global Settings Page, page C-859

Defining Global Settings in a Remote Access VPN

Follow the procedure below to define global settings in your remote access VPN.

Before You Begin

•In Device view (View > Device View), select the required device.

Procedure

Step 1 In Device view, select Remote Access VPN > RA VPN Policies > VPN Global Settings from the Device Policies selector.

The VPN Global Settings page opens, displaying the ISAKMP/IPSec Settings tab. For a description of the elements on this tab, see Table C-467 on page C-860.

Step 2 In the ISAKMP/IPSec Settings tab, specify global settings for IKE and IPSec, as follows:

a. Select Enable Keepalive to configure IKE keepalive as the default failover and routing mechanism for your devices. (Applies to Cisco IOS routers, Catalyst 6500/7600 devices, and PIX Firewalls version 6.3.)

b. Enter the number of seconds a device must wait between sending IKE keepalive packets.

c. Enter the number of seconds a device must wait between attempts to establish an IKE connection with the remote peer.

d. Select Periodic if you want to send dead-peer detection (DPD) keepalive messages, even if there is no outbound traffic to be sent (for routers except 7600).

e. Specify whether the device uses an IP address or host name to identify itself in IKE negotiations. You can also specify to use a Distinguished Name (DN) to identify a user group name.

f. Specify the maximum number of SA requests allowed before IKE starts rejecting them (for routers except 7600).

g. Specify the percentage of system resources that can be used before IKE starts rejecting new SA requests (for Cisco IOS routers and Catalyst 6500/7600 devices).

h. Select Enable Lifetime to configure the global lifetime settings for the crypto IPSec SAs on the devices in your remote access VPN.

i. Specify the number of seconds a security association will exist before expiring.

j. Specify the volume of traffic (in kilobytes) that can pass between IPSec peers using a given SA before it expires.

k. Specify the Xauth timeout—the number of seconds the device will wait for a system response to the Xauth challenge (Cisco IOS routers and Catalyst 6500/7600 devices).

l. Specify the maximum number of SAs that can be enabled simultaneously on the device (ASA or PIX 7.0 devices only).

m. Select Enable IPSec via Sysopt if you want to specify that any packet that comes from an IPSec tunnel be implicitly trusted (PIX 6.3, PIX 7.0, and ASA devices only).

Step 3 Click the NAT Settings tab to define global NAT settings that apply to devices that use internal IP addresses to send and receive data through the public Internet, as follows:

a. Select Enable Traversal Keepalive to use NAT traversal when there is a device (referred to as the middle device) located between a VPN-connected hub and spoke, that performs Network Address Translation (NAT) on the IPSec flow. See About NAT Traversal, page 9-72.

b. Specify the interval (5-3600 seconds) between the keepalive signals sent between the spoke and the middle device to indicate that the session is active.

c. Select Enable Traversal over TCP (for ASA or PIX 7.0 devices only) to encapsulate both the IKE and IPSec protocols within a TCP packet, and enable secure tunneling through both NAT and PAT devices and firewalls.

d. Enter the TCP ports for which you want to enable NAT traversal (ASA or PIX 7.0 devices only).

For a description of the elements on the NAT Settings tab, see Table C-468 on page C-863.

Step 4 Click the General Settings tab to define fragmentation and other global settings on the devices in your remote access VPN, as follows:

a. Select the fragmentation mode from the following options:

–No Fragmentation—Select if you do not want to fragment prior to IPSec encapsulation.

–End to End MTU Discovery—Select to use ICMP messages for the discovery of MTU.

–Local MTU Handling—Select to set the MTU locally on the devices. This option is typically used when ICMP is blocked.

See Understanding Fragmentation, page 9-73.

b. Specify the MTU size (between 68 and 1500 bytes).

c. Select the required setting for the DF bit (for Cisco IOS routers, ASA, or PIX 7.0 devices)—Copy, Set, or Clear.

d. Select Enable Fragmentation Before Encryption (for Cisco IOS routers, ASA, or PIX 7.0 devices) to fragment before encryption, if the expected packet size exceeds the MTU (Cisco IOS routers only).

e. Select Enable Notification on Disconnection (for ASA or PIX 7.0 devices only) to notify qualified peers of sessions that are about to be disconnected.

f. Select Enable Spoke-to-Spoke Connectivity through the Hub (for ASA, or PIX 7.0 devices only) to enable direct communication between spokes in a hub-and-spoke VPN topology, in which the hub is an ASA device or a PIX Firewall version 7.0.

g. Select Enable Default Route (for Cisco IOS routers only) to use the device's configured external interface as the default outbound route for all incoming traffic.

For a description of the elements on the General Settings tab, see Table C-469 on page C-865.

Step 5 Click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Related Topics

•Managing Shared Remote Access VPN Policies in Policy View

•Configuring VPN Global Settings in Remote Access VPNs

•VPN Global Settings Page, page C-859

•ISAKMP/IPSec Settings Tab, page C-860

•NAT Settings Tab, page C-863

•General Settings Tab, page C-864

Understanding DN Matching Policies

Distinguished Name (DN) rules are used for enhanced certificate authentication on PIX Firewalls version 7.0 and ASA devices.

A DN is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a tunnel group.

Certificate group matching lets you define rules to match a user's certificate to a permission group based on fields in the DN. To establish authentication, you can use any field of the certificate, or you can have all certificate users share a permission group.

To match user permission groups based on fields of the certificate, you define rules that specify the fields to match for a group, and then enable each rule for that selected group. A tunnel group must already exist in the configuration before you can create a rule for it.

Once you have defined rules, you must configure a certificate group matching policy to define the method for identifying the permission groups of certificate users. You can match the group from the DN rules, the Organization Unit (OU) field, the IKE identify, or the peer IP address. You can use any or all of these methods.

Related Topics

•Configuring a DN Matching Policy

•DN Matching Policy Page, page C-870

Configuring a DN Matching Policy

This procedure describes how to configure a DN Matching policy for a remote client attempting to connect to a PIX Firewall version 7.0, or an ASA server device.

Before You Begin

•In Device view (View > Device View), select the required device (PIX 7.0 or ASA device).

•Make sure a tunnel group has been configured on the device. See Configuring Tunnel Group Policies.

Procedure

Step 1 In Device view, select Remote Access VPN > RA VPN Policies > DN Matching Policy from the Device Policies selector. The DN Matching Policy page is displayed.

Step 2 Select any, or all, of the following check boxes:

a. Use Configured Rules to Match a Certificate to a Group—To configure the server to use the configured DN rules to establish authentication.

b. Use Certificate Organization Unit (OU) Field to Determine the Group —To configure the server to use the organizational unit (OU) field of the DN to establish authentication.

c. Use IKE Identify to Determine the Group—To configure the server to use the IKE identity of the DN to establish authentication.

d. Use Peer IP address to Determine the Group—To configure the server to use the peer IP address of the DN to establish authentication.

For a description of the elements on the DN Matching Policy page, see Table C-471 on page C-871.

Step 3 Click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Related Topics

•Managing Shared Remote Access VPN Policies in Policy View

•Understanding DN Matching Policies

•Configuring a DN Matching Rules Policy

•DN Matching Policy Page, page C-870

Understanding DN Matching Rules

Note DN Matching Rules can be configured only on PIX Firewalls version 7.0, or ASA devices.

When configuring certificate group matching, you must define Distinguished Name (DN) rules to match a remote client's certificate to a permission group, based on fields in the DN.

To match user permission groups based on fields of the certificate, you define rules that specify the fields to match for a group and then enable each rule for that selected group. A tunnel group must already exist in the configuration before you can create and map a rule to it.

After defining the DN rules, you must configure a certificate group matching policy to define the method for identifying the permission groups of certificate users. For more information, see Understanding DN Matching Policies.

Note A tunnel group must already exist in the configuration before you can create and map a DN Matching rule to it. If you unassign a tunnel group after creating a DN Matching rule, the DN rules that are mapped to the tunnel group are unassigned. See Configuring Tunnel Group Policies.

Related Topics

•Configuring Tunnel Group Policies

•Configuring a DN Matching Rules Policy

•DN Matching Rules Page, page C-871

Configuring a DN Matching Rules Policy

This procedure describes how to configure the DN matching rules and parameters for any remote client attempting to connect to a PIX Firewall version 7.0, or an ASA server device.

Before You Begin

•In Device view (View > Device View), select the required device (PIX 7.0 or ASA device).

•Make sure a tunnel group has been configured on the device. See Configuring Tunnel Group Policies.

Procedure

Step 1 In Device view, select Remote Access VPN > RA VPN Policies > DN Matching Rules from the Device Policies selector. The DN Matching Rules page is displayed. For a description of the elements on this page, see Table C-472 on page C-872.

Step 2 Click Create in the upper pane to configure the priority and tunnel group mapping for your matching rules. The DN Rule page is displayed. For a description of the elements on this page, see Table C-473 on page C-874.

Step 3 Select a tunnel group from the drop-down list.

Step 4 Enter the priority number for the matching rule. A lower number has higher priority.

Step 5 Click OK. The DN matching rule is displayed in the upper pane of the page.

Step 6 Select the tunnel group mapping created in the upper pane to display the details in the lower pane.

Step 7 Click Create in the lower pane to configure the DN matching rule that must be satisfied in order for a remote client to connect to the device. The DN Rule page is displayed. For a description of the elements on this page, see Table C-474 on page C-875.

Step 8 Select the certificate field from the drop-down list.

Step 9 Select the component of the rule you wish to configure.

Step 10 Select the operator of the rule.

Step 11 Enter the value for the matching rule.

Step 12 Click OK. The DN matching rule parameters are displayed in the lower pane of the page.

Step 13 Click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Related Topics

•Managing Shared Remote Access VPN Policies in Policy View

•Understanding Tunnel Group Policies in Remote Access VPNs

•Understanding DN Matching Policies

•Understanding DN Matching Rules

•DN Matching Rules Page, page C-871

Managing Shared Remote Access VPN Policies in Policy View

In Policy view, you can view all shared policies for each policy type in a remote access VPN, modify individual policies, and apply them globally to multiple devices. You can also create shared policies that you can assign later to devices.

This procedure describes how to create or edit remote access VPN policies, and modify their assignments to devices, from Policy view.

Procedure

Step 1 Select View > Policy View or click the Policy View button on the toolbar.

Step 2 Select the Remote Access VPN folder from the Policy selector. The folder opens, listing the IPSec policy types that can be defined for a remote access VPN. For more information, see Policy View Selectors, page 6-37.

Step 3 To view the shared policies defined for a policy type, select the policy type in the selector. Any policies that are defined for the selected policy type are displayed in the Policies list in the lower pane.

Step 4 To create a shared policy for a policy type:

a. Right-click the policy type and select New [policy type] Policy from the shortcut menu. The Create a Policy dialog box opens.

b. Enter a name for the new policy and click OK. The new policy will appear in the Policies selector for the selected policy type, displaying predefined definitions, which you can edit, if required.

Step 5 To view or edit a policy's definitions:

a. Select the policy in the Policies selector. The Details tab in the work area of Policy view opens, displaying the definitions for the policy.

b. If required, modify the definitions for the policy. See Working with Policies in Remote Access VPNs.

Step 6 To view or edit a policy's assignments:

a. Select the policy in the Policies selector, and click the Assignments tab in the work area. For a description of the elements on this tab, see Policy View—Assignments Tab, page C-26.

b. If required, modify the list of devices to which the policy is assigned. See Modifying Policy Assignments in Policy View, page 6-41.

Step 7 Click Save to save your changes to the server.

Note To publish your changes, click the Submit button on the toolbar.

Related Topics

•Working with Policies in Remote Access VPNs

•Managing Shared Policies in Policy View, page 6-35

	User Guide for Cisco Security Manager 3.0.2
	Managing Remote Access VPNs
User Guide for Cisco Security Manager 3.0.2 Preface Getting to Know Security Manager Performing Administrative Tasks Working With the Security Manager User Interface Using Map View Managing Devices Managing Policies Managing Activities Managing Objects Managing Site-to-Site VPNs Managing Remote Access VPNs Managing Firewall Services Managing Routers Managing Firewall Devices Using the Catalyst 6500/7600 Device Manager Managing Deployment Using Tools Devices User Interface Reference Site-to-Site VPN User Interface Reference Policy User Interface Reference Map View User Interface Reference Tools User Interface Reference Administrative Settings User Interface Reference Activities User Interface Reference Deployment User Interface Reference Index	Download this chapter Managing Remote Access VPNs Download the complete book User Guide for Cisco Security Manager 3.0.2 (PDF - 21 MB) Table Of Contents Managing Remote Access VPNs Working with Policies in Remote Access VPNs Using the Remote Access VPN Server Wizard Understanding User Group Policies in Remote Access VPNs Configuring User Group Policies Understanding Tunnel Group Policies in Remote Access VPNs Configuring Tunnel Group Policies Understanding IPSec Proposals in Remote Access VPNs Configuring an IPSec Proposal on a Remote Access VPN Server Understanding IKE Proposals in Remote Access VPNs Configuring IKE Proposals on a Remote Access VPN Server Understanding Cluster Load Balancing Configuring a Cluster Load Balance Policy Public Key Infrastructure Policies in Remote Access VPNs Configuring a PKI Policy in a Remote Access VPN Configuring VPN Global Settings in Remote Access VPNs Defining Global Settings in a Remote Access VPN Understanding DN Matching Policies Configuring a DN Matching Policy Understanding DN Matching Rules Configuring a DN Matching Rules Policy Managing Shared Remote Access VPN Policies in Policy View Managing Remote Access VPNs A Virtual Private Network (VPN) consists of multiple remote peers transmitting private data securely to one another over an unsecured network, such as the Internet. Remote access VPNs use tunnels to encapsulate data packets within normal IP packets for forwarding over IP-based networks, using encryption to ensure privacy and authentication to ensure integrity of data. Remote access VPNs permit secure, encrypted connections between a company's private network and remote users, by establishing an encrypted IPSec tunnel across the Internet using broadband cable, DSL, or Internet Service Provider (ISP) dial connection. A remote access VPN comprises a VPN client and a VPN headend device, or VPN gateway. The VPN client software resides on the user's workstation and that client initiates the VPN tunnel to access the corporate network. At the other end of the VPN tunnel is the VPN gateway at the edge of the corporate site. When a VPN client initiates a connection with the VPN gateway device, the negotiation consists of device authentication through Internet Key Exchange (IKE), followed by user authentication using IKE Extended Authentication (Xauth). Then the group profile is pushed to the VPN client using Mode Configuration, and an IPSec security association (SA) is created to complete the VPN connection. For remote access VPNs, AAA (authentication, authorization, and accounting) is used for more secure access. With user authentication, a valid username and password must be entered before the connection is completed. Usernames and passwords can be stored on the VPN device itself, or on an external AAA server, which can provide authentication to numerous other databases. For more information on using AAA servers, see Working with AAA Server Objects, page 8-19. Note You can configure remote access VPN policies in site-to-site VPN topologies, using Easy VPN technology. In site-to-site Easy VPN topologies, security policies are configured on hardware clients, such as routers, whereas, in remote access VPNs, policies are configured on PCs running Cisco VPN client software. For more information, see Configuring Easy VPN Policies, page 9-104. Related Topics •Working with Policies in Remote Access VPNs Working with Policies in Remote Access VPNs A remote access VPN policy defines the IPSec parameters that the VPN client and VPN gateway use to create the VPN tunnel. In some cases, several policy types may be required to define a full configuration image that can be assigned to devices. Other remote access VPN policies can be assigned individually to devices. You can set up and configure a remote access VPN on Cisco IOS routers, PIX Firewalls, Catalyst 6500/7600 devices, and Adaptive Security Appliance (ASA) devices. In Device view, you can view and configure remote access VPN policies for devices. To access Device view, select View > Device View or click the Device View button in the toolbar. You can right-click a policy in the Policies selector to display menu options that enable you to share the policy, assign the shared policy to, or unassign it from the selected device. For more information, see Performing Basic Policy Management, page 6-16. Note You must have read-write permissions to modify a remote access VPN policy. For more information, see Modify Policies Permissions, page 2-8. Tip You can also view all shared policies for each policy type in a remote access VPN, edit policies, and modify their assignments to devices, in Policy view. See Managing Shared Remote Access VPN Policies in Policy View. The following topics provide information about the policies you can configure on a remote access VPN, from the Security Manager Device view: •Using the Remote Access VPN Server Wizard •Understanding User Group Policies in Remote Access VPNs •Understanding Tunnel Group Policies in Remote Access VPNs •Understanding IPSec Proposals in Remote Access VPNs •Understanding IKE Proposals in Remote Access VPNs •Understanding Cluster Load Balancing •Public Key Infrastructure Policies in Remote Access VPNs •Configuring VPN Global Settings in Remote Access VPNs •Understanding DN Matching Policies •Understanding DN Matching Rules Related Topics •Remote Access VPN Policies, page C-822 Using the Remote Access VPN Server Wizard The Remote Access VPN Server wizard enables you to configure your device as a remote access VPN server, to serve as a VPN gateway for remote end users. The wizard includes mandatory steps that you must do to configure policies that enable your device to act as a remote access VPN server. Mandatory policies include user group policies (or tunnel group policies for ASA devices and PIX Firewalls version 7.0), IPSec proposals, and IKE proposals. The wizard provides default values for IPSec and IKE proposals. Once configured, specific security parameters defined in these policies are pushed to the client by the server, minimizing configuration by the end user. Note You must have read-write permissions to modify the policies in the Remote Access VPN Server wizard. If you are not authorized to modify one of the three mandatory policies, you cannot launch the wizard. For more information, see Modify Policies Permissions, page 2-8. To access the Remote Access VPN Server wizard: 1. Select View > Device View or click the Device View button in the toolbar. 2. From the Device Selector, select the device you want to configure as your remote access server. 3. Select Remote Access VPN > RA VPN Server Wizard from the Device Policies selector. 4. Click Remote Access VPN Server Wizard. Tip•You can also configure mandatory policies on your device individually from the Remote Access VPN Policies folder, together with other optional remote access VPN policies. •You must have read-write permissions to modify a policy in the Remote Access VPN Policies folder, otherwise you will be unable to save any modifications. The following topics describe how to configure mandatory policies using either the Remote Access VPN wizard, or individually from the Remote Access VPN Policies folder: •Configuring User Group Policies •Configuring Tunnel Group Policies •Configuring an IPSec Proposal on a Remote Access VPN Server •Configuring IKE Proposals on a Remote Access VPN Server Understanding User Group Policies in Remote Access VPNs When you configure a remote access VPN server, you can create user groups to which remote clients belong. A user group policy specifies the attributes that determine user access to, and use of the VPN. User groups simplify system management, enabling you to quickly configure VPN access for large numbers of users. For example, in a typical remote access VPN, you might allow a finance group to access one part of a private network, a customer support group to access another part, and an MIS group to access other parts. In addition, you might allow specific users within MIS to access systems that other MIS users cannot access. User group policies provide the flexibility to do so securely. Remote clients must have the same group name as the user group configured on the VPN server so they can connect to the device, otherwise a connection cannot be established. When a remote client establishes a connection to the VPN server, the group policies for that particular user group are pushed to all clients belonging to the same user group. You can configure user groups on the local remote access VPN server and external AAA servers. On the User Group Policy page, you can specify the user groups you want to assign to your remote access VPN server. You can create and edit user group policies. You can open the User Group Policy page from the Remote Access VPN Server wizard or from the Remote Access VPN Policies folder. Note You can define user group policies on Cisco IOS routers, PIX Firewalls, and Catalyst VPN Service Modules. Related Topics •Configuring User Group Policies •User Group Objects Page, page C-187 Configuring User Group Policies This procedure describes how to specify the user groups you want to assign to your remote access VPN server. Before You Begin •In Device view (View > Device View), select the required device (Cisco IOS security router, PIX Firewall, or Catalyst 6500/7600). Procedure Step 1 Open the User Group Policy page. a. From the wizard: –Select View > Device View > Remote Access VPN > RA VPN Server Wizard. –Click Remote Access VPN Server Wizard. b. From the Remote Access VPN Policies folder: –Select View > Device View > Remote Access VPN > RA VPN Policies > User Group Policy, from the Device Policies selector. Step 2 On the User Group Policy page, select the required user groups from the Available User Groups list, and click >>. For a description of the elements on this page, see Table C-453 on page C-825. User groups are objects. If the required user group is not included in the list, click Create to open the User Groups Editor dialog box that enables you to create or edit a user group object. For more information, see Working with User Group Objects, page 8-237. Step 3 If you opened the User Group Policy page from the wizard, click Next to advance to the next step of the wizard. See Configuring an IPSec Proposal on a Remote Access VPN Server. If you opened the User Group Policy page from the Remote Access VPN Policies folder, click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Related Topics •Using the Remote Access VPN Server Wizard •Understanding User Group Policies in Remote Access VPNs •Managing Shared Remote Access VPN Policies in Policy View •Working with User Group Objects, page 8-237 •User Group Policy Page, page C-824 Understanding Tunnel Group Policies in Remote Access VPNs A tunnel group consists of a set of records that contain VPN tunnel connection policies, including the attributes that pertain to creating the tunnel itself. Tunnel groups identify the group policy for a specific connection, which includes user-oriented attributes. If you do not assign a particular tunnel group policy to a user, the default group policy for the connection applies. You can create one or more tunnel groups specific to your environment. Tunnel groups may be configured on the local remote access VPN server or on external AAA servers. On the Tunnel Group Policy page, you can view the tunnel group policies defined on your remote access VPN server. You can create and edit tunnel group policies. You can open the Tunnel Group Policy page from the Remote Access VPN Server wizard or from the Remote Access VPN Policies folder. Note You can configure tunnel group policies only on PIX Firewalls version 7.0, or ASA devices. Related Topics •Configuring Tunnel Group Policies •Tunnel Group Policy Page, page C-826 Configuring Tunnel Group Policies This procedure describes how to create or edit tunnel group policies on your remote access VPN server. Before You Begin •In Device view (View > Device View), select the required device (PIX 7.0 or ASA device). Procedure Step 1 Open the Tunnel Group Policy page. a. From the wizard: –Select View > Device View > Remote Access VPN > RA VPN Server Wizard. –Click Remote Access VPN Server Wizard. b. From the Remote Access VPN Policies folder: –Select View > Device View > Remote Access VPN > RA VPN Policies > Tunnel Group Policy (PIX 7.0/ASA), from the Device Policies selector. Step 2 Click Create in the Tunnel Group Policy page, or select a device in the table on the Tunnel Group Policy page and click Edit. The Tunnel Group Editor dialog box opens, displaying the General tab. For a description of the elements on the Tunnel Group Policy page, See Table C-454 on page C-827. Step 3 On the General tab, specify the global AAA settings for your tunnel group and select the method (or methods) of address assignment to use. For a description of the elements on the General tab, see Table C-455 on page C-829. Step 4 Click the IPSec tab to specify IPSec and IKE parameters for the tunnel group policy. For a description of the elements on the IPSec tab, see Table C-456 on page C-832. Step 5 Click the Advanced tab to specify interface-specific information for your tunnel group policy. For a description of the elements on the Advanced tab, see Table C-457 on page C-835. Step 6 Click the Client VPN Software Update tab to view and edit the client type, VPN Client revisions, and image URL for each client VPN software package installed. For a description of the elements on the Client VPN Software Update tab, see Table C-458 on page C-837. Step 7 When you have finished creating or editing your tunnel group policy, click OK to save your changes locally on the client and close the Tunnel Group Policy Editor dialog box. Step 8 If you opened the Tunnel Group Policy page from the wizard, click Next to advance to the next step of the wizard. See Configuring an IPSec Proposal on a Remote Access VPN Server. If you opened the Tunnel Group Policy page from the Remote Access VPN Policies folder, click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Related Topics •Managing Shared Remote Access VPN Policies in Policy View •Understanding Tunnel Group Policies in Remote Access VPNs •Tunnel Group Policy Page, page C-826 Understanding IPSec Proposals in Remote Access VPNs An IPSec proposal is a collection of one or more crypto maps. A crypto map combines all the components required to set up IPSec security associations (SAs), including IPSec rules, transform sets, remote peer(s), and other parameters that might be necessary to define an IPSec SA. When configuring an IPSec proposal, you must specify the external interface through which the remote access clients will connect to the server, and the encryption and authentication algorithms used to protect the data in the VPN tunnel. You can also select a Group Authorization (Group Policy Lookup) method that defines the order in which the group policies are searched (on the local server or on external AAA servers), and select a user authentication (Xauth) method that defines the order in which user accounts are searched. For more information on IPSec tunnel concepts, see Understanding IPSec Tunnel Policies, page 9-64. For information about user accounts, see Defining Device Access Policies, page 12-26. On the IPSec Proposal page, you can view the default IPSec proposal that is available for assignment to your remote access VPN. From this page, you can create a new IPSec proposal or edit the default one. Note You can open the IPSec Proposal page from the Remote Access VPN Server wizard or from the Remote Access VPN Policies folder. Related Topics •Configuring an IPSec Proposal on a Remote Access VPN Server •IPSec Proposal Page, page C-837 Configuring an IPSec Proposal on a Remote Access VPN Server This procedure describes how to create or edit an IPSec Proposal for your remote access VPN server. Before You Begin •In Device view (View > Device View), select the device on which you want to configure the IPSec proposal. Procedure Step 1 Open the IPSec Proposal page. a. From the wizard: –Select View > Device View > Remote Access VPN > RA VPN Server Wizard. –Click Remote Access VPN Server Wizard. –Click Next in the User Group/Tunnel Group Policy page. b. From the Remote Access VPN Policies folder: –Select View > Device View > Remote Access VPN > RA VPN Policies > IPSec Proposal, from the Device Policies selector. For a description of the elements on the IPSec Proposal page, see Table C-459 on page C-838. Step 2 Click Create on the IPSec Proposal page, or select a row in the table on the IPSec Proposal page and click Edit. The IPSec Proposal Editor dialog box opens. Note The elements in IPSec Proposal Editor dialog box differ depending on the selected device. Step 3 If the selected device is a PIX 7.0 or an ASA device: a. Select the external interface through which remote access clients will connect to the server. b. Select the transform set(s) to be used for your tunnel policy. c. If required, enable Reverse Route Injection (RRI) to ensure that a static route is created on an ASA device, for each assigned address to the client. d. If required, enable the configuration of Network Address Translation Traversal (NAT-T) on an ASA device. See About NAT Traversal, page 9-72. e. For a PIX device, specify the AAA or Xauth user authentication method used to define the order in which user accounts are searched. f. Click OK to save your changes locally on the client and close the dialog box. The changes appear in the table of the IPSec Proposal page. For a description of the elements on the IPSec Proposal Editor dialog box, see Table C-460 on page C-841. Step 4 If the selected device is a Cisco IOS router or Catalyst 6500/7600, the IPSec Proposal Editor dialog box opens displaying the General tab. Note The IPSec Proposal Editor dialog box displays two tabs—General and VRF Aware IPSec. If the selected device is a Catalyst 6500/7600, the FWSM Settings tab is also displayed. a. In the General tab (for a description of the elements in the General tab, see Table C-461 on page C-844): –Specify the external interface through which remote access clients will connect to the server. Note Important: If the selected device is a Catalyst 6500/7600, specify the inside VLAN which serves as the inside interface to the VPN Services Module or VPN SPA. Click Select to open a dialog box in which you must define the settings that enable you to configure a VPN Services Module (VPNSM) or VPN SPA. For a description of the elements in the VPNSM/VPN SPA Settings dialog box, see Table C-462 on page C-848. For information about configuring a VPNSM, see Configuring a Catalyst VPN Services Module (VPNSM) VPN Interface, page 9-31. For information about configuring a VPN SPA, see Configuring a Catalyst VPN Shared Port Adapter (VPN SPA) Blade, page 9-33. –Select the transform set(s) to be used for your tunnel policy. –If required, enable Reverse Route Injection (RRI) to ensure that a static route is created on the device for each assigned address to the client. –Select an AAA authorization method list that will be used to define the order in which the group policies are searched. Group policies can be configured on both the local server or on an external AAA server. –Select the AAA or Xauth user authentication method that will be used to define the order in which user accounts are searched. b. If the selected device is a Catalyst 6500/7600, click the FWSM tab and specify the settings that enable you to connect between a Firewall Services Module (FWSM) and an IPSec VPN Services Module (VPNSM blade) or VPN SPA blade that is already configured on a Catalyst 6500/7600 device. For a description of the elements in the FWSM Settings tab, see Table C-463 on page C-850. For more information, see Configuring a Firewall Services Module (FWSM) Interface with VPNSM or VPN SPA, page 9-38. c. Click the VRF Aware IPSec tab to configure VRF Aware IPSec settings on the device. For a description of the elements on this tab, see Table C-464 on page C-852. For more information, see Understanding VRF-Aware IPSec, page 9-42. Step 5 When you have finished creating or editing your IPSec proposal, click OK to save your changes locally on the client, and close the IPSec Proposal Editor dialog box. The changes appear in the table of the IPSec Proposal page. Step 6 If you opened the IPSec Proposal page from the wizard, click Next to advance to the next step of the wizard. See Configuring IKE Proposals on a Remote Access VPN Server. If you opened the IPSec Proposal page from the Remote Access VPN Policies folder, click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Related Topics •Managing Shared Remote Access VPN Policies in Policy View •Understanding IPSec Proposals in Remote Access VPNs •IPSec Proposal Page, page C-837 •IPSec Proposal Editor Dialog Box (for PIX and ASA Devices), page C-840 •IPSec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page C-843 •VPNSM/VPN SPA Settings Dialog Box, page C-846 •FWSM Settings Tab (IPSec Proposal Editor), page C-849 •VRF Aware IPSec Tab (IPSec Proposal Editor), page C-851 •Understanding IPSec Tunnel Policies, page 9-64 Understanding IKE Proposals in Remote Access VPNs Internet Key Exchange (IKE), also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPSec security association. To configure your device for remote access VPNs, you need to specify the encryption algorithm, authentication algorithm, and key exchange method that is used by the device when negotiating a VPN connection with the remote clients. An IKE proposal is a set of algorithms that two peers use to secure the IKE negotiation between them. IKE negotiation begins by each peer agreeing on a common (shared) IKE policy. This policy states which security parameters will be used to protect subsequent IKE negotiations. You can create multiple, prioritized policies at each peer to ensure that at least one policy will match a remote peer's policy. For more information on IKE concepts, see Understanding IKE, page 9-59. On the IKE Proposal page, you can specify the IKE proposals you want to assign to your remote access VPN server. You can create and edit IKE proposals. You can open the IKE Proposal page from the Remote Access VPN Server wizard or from the Remote Access VPN Policies folder. Related Topics •Configuring IKE Proposals on a Remote Access VPN Server •IKE Proposal Page, page C-855 Configuring IKE Proposals on a Remote Access VPN Server This procedure describes how to specify the IKE proposals you want to assign to your remote access VPN server. Before You Begin •In Device view (View > Device View), select the required device. Procedure Step 1 Open the IKE Proposal page. a. From the wizard: –Select View > Device View > Remote Access VPN > RA VPN Server Wizard. –Click Remote Access VPN Server Wizard. –Click Next on the IPSec Proposal page. b. From the Remote Access VPN Policies folder: –Select View > Device View > Remote Access VPN > RA VPN Policies > IKE Proposal, from the Device Policies selector. Step 2 On the IKE Proposal page, select the required IKE proposals from the Available IKE Proposals list, and click >>. For a description of the elements on this page, see Table C-465 on page C-856. IKE proposals are objects. If the required IKE proposal is not included in the list, click Create to open the IKE Editor dialog box that enables you to create or edit an IKE proposal object. For more information, see IKE Proposal Dialog Box, page C-123. Step 3 If you opened the IKE Proposal page from the wizard, click Finish to save your definitions and close the wizard. If you opened the IKE Proposal page from the Remote Access VPN Policies folder, click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Related Topics •Managing Shared Remote Access VPN Policies in Policy View •Understanding IKE Proposals in Remote Access VPNs •IKE Proposal Page, page C-855 •Configuring an IKE Proposal, page 9-63 Understanding Cluster Load Balancing In a remote client configuration in which you are using two or more devices connected to the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus distributing the load among all devices. Load balancing is effective only on remote sessions initiated with an ASA device. To implement load balancing, you must group two or more devices on the same private LAN-to-LAN network into a virtual cluster. All devices in the virtual cluster carry session loads. One device in the virtual cluster, the virtual cluster master, directs incoming calls to the other devices, called secondary devices. The virtual cluster master monitors all devices in the cluster, keeps track of how busy each is, and distributes the session load accordingly. The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not tied to a specific physical device—it belongs to the current virtual cluster master. A VPN client attempting to establish a connection connects first to this virtual cluster IP address. The virtual cluster master then sends back to the client the public IP address of the least-loaded available host in the cluster. In a second transaction (transparent to the user), the client connects directly to that host. In this way, the virtual cluster master directs traffic evenly and efficiently across resources. The role of virtual cluster master is not tied to a physical device—it can shift among devices. If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster master then directs these connections to another active device in the cluster. Should the virtual cluster master itself fail, a secondary device in the cluster immediately takes over as the new virtual session master. Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is available. The Cluster Load Balance page enables you to configure load balancing on your VPN device. You must explicitly enable load balancing, as it is disabled by default. All devices that participate in a cluster must share the same cluster-specific values: IP address, encryption settings, encryption key, and port. Related Topics •Configuring a Cluster Load Balance Policy •ASA Cluster Load Balance Page, page C-867 Configuring a Cluster Load Balance Policy Note You can configure a Cluster Load Balance policy only on an ASA device. Before You Begin •In Device view (View > Device View), select the required ASA device. Procedure Step 1 In Device view, select Remote Access VPN > RA VPN Policies > ASA Cluster Load Balance from the Device Policies selector. The ASA Cluster Load Balance page opens. For a description of the elements on this page, see Table C-470 on page C-868. Step 2 Select the Participating in Load Balancing Cluster check box to specify the device belongs to the load-balancing cluster. Step 3 Specify the single IP address that represents the entire virtual cluster. Choose an IP address that is in the same subnet as the external interface. Step 4 Specify the UDP port for the virtual cluster to which the device belongs. If another application is using this port, enter the UDP destination port number you want to use for load balancing. The default is 9023. Step 5 If required, select Enable IPSec Encryption to ensure that all load-balancing information communicated between the devices is encrypted. Step 6 If you selected the Enable IPSec Encryption check box, you must specify an IPSec Shared Secret password. The security appliances in the virtual cluster communicate via LAN-to-LAN tunnels using IPSec. This password must match the passwords passed on by the client. Step 7 In the Priority area, select one of the following options: •Accept default device value—To accept the default priority value assigned to the device. •Configure same priority on all devices in the cluster—To configure the same priority value to all the devices in the cluster. Then enter the priority number (between 1-10) to indicate the likelihood of the device becoming the virtual cluster master, either at start-up or when the existing master fails. Step 8 Specify the public and private interfaces to be used on the server. Note Interfaces are objects. You can click Select to open a dialog box that lists all available interface roles and interfaces, and in which you can create interface role objects. For more information, see Working with Interface Role Objects, page 8-120. Step 9 Click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Related Topics •Managing Shared Remote Access VPN Policies in Policy View •Understanding Cluster Load Balancing •ASA Cluster Load Balance Page, page C-867 Public Key Infrastructure Policies in Remote Access VPNs Security Manager supports IPSec configuration with Certification Authority (CA) servers, also known as trustpoints, that manage Public Key Infrastructure (PKI) certificate requests and issue certificates to the devices in a remote access VPN. You can create a Public Key Infrastructure (PKI) policy to generate PKI enrollment requests for PKI certificates and RSA keys, and manage keys and certificates. These services provide centralized key management for the participating devices. For more information, see Understanding Public Key Infrastructure Policies, page 9-79. In Security Manager, CA servers are defined as PKI enrollment objects that you can use in your PKI policies. A PKI enrollment object contains the server information and enrollment parameters that are required for creating enrollment requests for CA certificates. For more information, see Working with PKI Enrollment Objects, page 8-153. Note In remote access VPNs, digital certificates are used for user authentication. When creating or editing a PKI enrollment object, you must configure each remote component (spoke) with the name of the user group to which it connects. Remote clients should also be configured to use digital certificates for user authentication during IKE negotiations, by specifying the user group name when configuring ISAKMP settings (see Defining Global Settings in a Remote Access VPN). Related Topics •Configuring a PKI Policy in a Remote Access VPN •Public Key Infrastructure Page, page C-857 Configuring a PKI Policy in a Remote Access VPN This procedure describes how to specify the CA server(s) that will be used to create a Public Key Infrastructure (PKI) policy in your remote access VPN. Before You Begin •In Device view (View > Device View), select the device on which you are configuring PKI. •Make sure the selected device has IOS version 12.3(7)T or later. •Please read Prerequisites for Successful PKI Enrollment, page 9-82. Procedure Step 1 In Device view, select Remote Access VPN > RA VPN Policies > Public Key Infrastructure from the Device Policies selector. The Public Key Infrastructure page opens. For a description of the elements on this page, see Table C-466 on page C-858. Step 2 Select the required CA server(s) from the Available CA Servers list and click >>. If the required CA server is not included in the list, click Create to open a dialog box that enables you to create or edit a PKI enrollment object. For more information, see PKI Enrollment Dialog Box, page C-140. Note When creating or editing a PKI enrollment object, make sure you configure each remote component (spoke) with the name of the user group to which it connects. You specify this information in the Organization Unit (OU) field in the Certificate Subject Name tab of the PKI Enrollment Editor dialog box. In addition, the certificate issued to the client should have OU as the name of the user group. For more information, see Defining Additional PKI Attributes, page 8-162. Step 3 Click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Note To save the RSA key pairs and the CA certificates between reloads permanently to Flash memory on a PIX firewall version 6.3, you must configure the "ca save all" command. You can do this manually on the device or using a FlexConfig (see Working with FlexConfigs, page 16-40). Related Topics •Managing Shared Remote Access VPN Policies in Policy View •Public Key Infrastructure Policies in Remote Access VPNs •Understanding Public Key Infrastructure Policies, page 9-79 •Prerequisites for Successful PKI Enrollment, page 9-82 •Public Key Infrastructure Page, page C-857 •Working with PKI Enrollment Objects, page 8-153 Configuring VPN Global Settings in Remote Access VPNs On the VPN Global Settings page, you can define global settings for IKE, IPSec, NAT, and fragmentation, that apply to devices in your remote access VPN. A full description of VPN global settings is provided in Understanding VPN Global Settings, page 9-70. Global VPN settings comprise: •ISAKMP/IPSec settings that enable you to configure ISAKMP (IKE) and IPSec parameters that allow peers to negotiate in establishing a VPN tunnel in a remote access VPN. For more information, see Understanding ISAKMP/IPSec Settings, page 9-70. •Network Address Translation (NAT) settings enable devices that use internal IP addresses to send and receive data through the Internet. For more information, see Understanding NAT, page 9-71. •General Settings, including fragmentation settings and the maximum transmission unit (MTU) handling parameters that you can configure on the devices in your remote access VPN. For more information, see Understanding Fragmentation, page 9-73. .Related Topics •Defining Global Settings in a Remote Access VPN •VPN Global Settings Page, page C-859 Defining Global Settings in a Remote Access VPN Follow the procedure below to define global settings in your remote access VPN. Before You Begin •In Device view (View > Device View), select the required device. Procedure Step 1 In Device view, select Remote Access VPN > RA VPN Policies > VPN Global Settings from the Device Policies selector. The VPN Global Settings page opens, displaying the ISAKMP/IPSec Settings tab. For a description of the elements on this tab, see Table C-467 on page C-860. Step 2 In the ISAKMP/IPSec Settings tab, specify global settings for IKE and IPSec, as follows: a. Select Enable Keepalive to configure IKE keepalive as the default failover and routing mechanism for your devices. (Applies to Cisco IOS routers, Catalyst 6500/7600 devices, and PIX Firewalls version 6.3.) b. Enter the number of seconds a device must wait between sending IKE keepalive packets. c. Enter the number of seconds a device must wait between attempts to establish an IKE connection with the remote peer. d. Select Periodic if you want to send dead-peer detection (DPD) keepalive messages, even if there is no outbound traffic to be sent (for routers except 7600). e. Specify whether the device uses an IP address or host name to identify itself in IKE negotiations. You can also specify to use a Distinguished Name (DN) to identify a user group name. f. Specify the maximum number of SA requests allowed before IKE starts rejecting them (for routers except 7600). g. Specify the percentage of system resources that can be used before IKE starts rejecting new SA requests (for Cisco IOS routers and Catalyst 6500/7600 devices). h. Select Enable Lifetime to configure the global lifetime settings for the crypto IPSec SAs on the devices in your remote access VPN. i. Specify the number of seconds a security association will exist before expiring. j. Specify the volume of traffic (in kilobytes) that can pass between IPSec peers using a given SA before it expires. k. Specify the Xauth timeout—the number of seconds the device will wait for a system response to the Xauth challenge (Cisco IOS routers and Catalyst 6500/7600 devices). l. Specify the maximum number of SAs that can be enabled simultaneously on the device (ASA or PIX 7.0 devices only). m. Select Enable IPSec via Sysopt if you want to specify that any packet that comes from an IPSec tunnel be implicitly trusted (PIX 6.3, PIX 7.0, and ASA devices only). Step 3 Click the NAT Settings tab to define global NAT settings that apply to devices that use internal IP addresses to send and receive data through the public Internet, as follows: a. Select Enable Traversal Keepalive to use NAT traversal when there is a device (referred to as the middle device) located between a VPN-connected hub and spoke, that performs Network Address Translation (NAT) on the IPSec flow. See About NAT Traversal, page 9-72. b. Specify the interval (5-3600 seconds) between the keepalive signals sent between the spoke and the middle device to indicate that the session is active. c. Select Enable Traversal over TCP (for ASA or PIX 7.0 devices only) to encapsulate both the IKE and IPSec protocols within a TCP packet, and enable secure tunneling through both NAT and PAT devices and firewalls. d. Enter the TCP ports for which you want to enable NAT traversal (ASA or PIX 7.0 devices only). For a description of the elements on the NAT Settings tab, see Table C-468 on page C-863. Step 4 Click the General Settings tab to define fragmentation and other global settings on the devices in your remote access VPN, as follows: a. Select the fragmentation mode from the following options: –No Fragmentation—Select if you do not want to fragment prior to IPSec encapsulation. –End to End MTU Discovery—Select to use ICMP messages for the discovery of MTU. –Local MTU Handling—Select to set the MTU locally on the devices. This option is typically used when ICMP is blocked. See Understanding Fragmentation, page 9-73. b. Specify the MTU size (between 68 and 1500 bytes). c. Select the required setting for the DF bit (for Cisco IOS routers, ASA, or PIX 7.0 devices)—Copy, Set, or Clear. d. Select Enable Fragmentation Before Encryption (for Cisco IOS routers, ASA, or PIX 7.0 devices) to fragment before encryption, if the expected packet size exceeds the MTU (Cisco IOS routers only). e. Select Enable Notification on Disconnection (for ASA or PIX 7.0 devices only) to notify qualified peers of sessions that are about to be disconnected. f. Select Enable Spoke-to-Spoke Connectivity through the Hub (for ASA, or PIX 7.0 devices only) to enable direct communication between spokes in a hub-and-spoke VPN topology, in which the hub is an ASA device or a PIX Firewall version 7.0. g. Select Enable Default Route (for Cisco IOS routers only) to use the device's configured external interface as the default outbound route for all incoming traffic. For a description of the elements on the General Settings tab, see Table C-469 on page C-865. Step 5 Click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Related Topics •Managing Shared Remote Access VPN Policies in Policy View •Configuring VPN Global Settings in Remote Access VPNs •VPN Global Settings Page, page C-859 •ISAKMP/IPSec Settings Tab, page C-860 •NAT Settings Tab, page C-863 •General Settings Tab, page C-864 Understanding DN Matching Policies Distinguished Name (DN) rules are used for enhanced certificate authentication on PIX Firewalls version 7.0 and ASA devices. A DN is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a tunnel group. Certificate group matching lets you define rules to match a user's certificate to a permission group based on fields in the DN. To establish authentication, you can use any field of the certificate, or you can have all certificate users share a permission group. To match user permission groups based on fields of the certificate, you define rules that specify the fields to match for a group, and then enable each rule for that selected group. A tunnel group must already exist in the configuration before you can create a rule for it. Once you have defined rules, you must configure a certificate group matching policy to define the method for identifying the permission groups of certificate users. You can match the group from the DN rules, the Organization Unit (OU) field, the IKE identify, or the peer IP address. You can use any or all of these methods. Related Topics •Configuring a DN Matching Policy •DN Matching Policy Page, page C-870 Configuring a DN Matching Policy This procedure describes how to configure a DN Matching policy for a remote client attempting to connect to a PIX Firewall version 7.0, or an ASA server device. Before You Begin •In Device view (View > Device View), select the required device (PIX 7.0 or ASA device). •Make sure a tunnel group has been configured on the device. See Configuring Tunnel Group Policies. Procedure Step 1 In Device view, select Remote Access VPN > RA VPN Policies > DN Matching Policy from the Device Policies selector. The DN Matching Policy page is displayed. Step 2 Select any, or all, of the following check boxes: a. Use Configured Rules to Match a Certificate to a Group—To configure the server to use the configured DN rules to establish authentication. b. Use Certificate Organization Unit (OU) Field to Determine the Group —To configure the server to use the organizational unit (OU) field of the DN to establish authentication. c. Use IKE Identify to Determine the Group—To configure the server to use the IKE identity of the DN to establish authentication. d. Use Peer IP address to Determine the Group—To configure the server to use the peer IP address of the DN to establish authentication. For a description of the elements on the DN Matching Policy page, see Table C-471 on page C-871. Step 3 Click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Related Topics •Managing Shared Remote Access VPN Policies in Policy View •Understanding DN Matching Policies •Configuring a DN Matching Rules Policy •DN Matching Policy Page, page C-870 Understanding DN Matching Rules Note DN Matching Rules can be configured only on PIX Firewalls version 7.0, or ASA devices. When configuring certificate group matching, you must define Distinguished Name (DN) rules to match a remote client's certificate to a permission group, based on fields in the DN. To match user permission groups based on fields of the certificate, you define rules that specify the fields to match for a group and then enable each rule for that selected group. A tunnel group must already exist in the configuration before you can create and map a rule to it. After defining the DN rules, you must configure a certificate group matching policy to define the method for identifying the permission groups of certificate users. For more information, see Understanding DN Matching Policies. Note A tunnel group must already exist in the configuration before you can create and map a DN Matching rule to it. If you unassign a tunnel group after creating a DN Matching rule, the DN rules that are mapped to the tunnel group are unassigned. See Configuring Tunnel Group Policies. Related Topics •Configuring Tunnel Group Policies •Configuring a DN Matching Rules Policy •DN Matching Rules Page, page C-871 Configuring a DN Matching Rules Policy This procedure describes how to configure the DN matching rules and parameters for any remote client attempting to connect to a PIX Firewall version 7.0, or an ASA server device. Before You Begin •In Device view (View > Device View), select the required device (PIX 7.0 or ASA device). •Make sure a tunnel group has been configured on the device. See Configuring Tunnel Group Policies. Procedure Step 1 In Device view, select Remote Access VPN > RA VPN Policies > DN Matching Rules from the Device Policies selector. The DN Matching Rules page is displayed. For a description of the elements on this page, see Table C-472 on page C-872. Step 2 Click Create in the upper pane to configure the priority and tunnel group mapping for your matching rules. The DN Rule page is displayed. For a description of the elements on this page, see Table C-473 on page C-874. Step 3 Select a tunnel group from the drop-down list. Step 4 Enter the priority number for the matching rule. A lower number has higher priority. Step 5 Click OK. The DN matching rule is displayed in the upper pane of the page. Step 6 Select the tunnel group mapping created in the upper pane to display the details in the lower pane. Step 7 Click Create in the lower pane to configure the DN matching rule that must be satisfied in order for a remote client to connect to the device. The DN Rule page is displayed. For a description of the elements on this page, see Table C-474 on page C-875. Step 8 Select the certificate field from the drop-down list. Step 9 Select the component of the rule you wish to configure. Step 10 Select the operator of the rule. Step 11 Enter the value for the matching rule. Step 12 Click OK. The DN matching rule parameters are displayed in the lower pane of the page. Step 13 Click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Related Topics •Managing Shared Remote Access VPN Policies in Policy View •Understanding Tunnel Group Policies in Remote Access VPNs •Understanding DN Matching Policies •Understanding DN Matching Rules •DN Matching Rules Page, page C-871 Managing Shared Remote Access VPN Policies in Policy View In Policy view, you can view all shared policies for each policy type in a remote access VPN, modify individual policies, and apply them globally to multiple devices. You can also create shared policies that you can assign later to devices. This procedure describes how to create or edit remote access VPN policies, and modify their assignments to devices, from Policy view. Procedure Step 1 Select View > Policy View or click the Policy View button on the toolbar. Step 2 Select the Remote Access VPN folder from the Policy selector. The folder opens, listing the IPSec policy types that can be defined for a remote access VPN. For more information, see Policy View Selectors, page 6-37. Step 3 To view the shared policies defined for a policy type, select the policy type in the selector. Any policies that are defined for the selected policy type are displayed in the Policies list in the lower pane. Step 4 To create a shared policy for a policy type: a. Right-click the policy type and select New [policy type] Policy from the shortcut menu. The Create a Policy dialog box opens. b. Enter a name for the new policy and click OK. The new policy will appear in the Policies selector for the selected policy type, displaying predefined definitions, which you can edit, if required. Step 5 To view or edit a policy's definitions: a. Select the policy in the Policies selector. The Details tab in the work area of Policy view opens, displaying the definitions for the policy. b. If required, modify the definitions for the policy. See Working with Policies in Remote Access VPNs. Step 6 To view or edit a policy's assignments: a. Select the policy in the Policies selector, and click the Assignments tab in the work area. For a description of the elements on this tab, see Policy View—Assignments Tab, page C-26. b. If required, modify the list of devices to which the policy is assigned. See Modifying Policy Assignments in Policy View, page 6-41. Step 7 Click Save to save your changes to the server. Note To publish your changes, click the Submit button on the toolbar. Related Topics •Working with Policies in Remote Access VPNs •Managing Shared Policies in Policy View, page 6-35
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.