||Start ASDM and choose . |
||Select the user you want configure and click Edit. |
||In the left-hand pane, click VPN Policy. |
||Specify a group policy for the user. The user policy will inherit the attributes of this group policy. If there are other fields on this screen that are set to Inherit the configuration from the Default Group Policy, the attributes specified in this group policy will take precedence over those set in the Default Group Policy. |
||Specify which tunneling protocols are available for the user, or whether the value is inherited from the group policy.
Check the desired Tunneling Protocols check boxes to choose one of the following tunneling protocols:
Clientless SSL VPN (VPN via SSL/TLS) uses a web browser to establish a secure remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file shares (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.
The SSL VPN Client lets users connect after downloading the Cisco AnyConnect Client application. Users use a clientless SSL VPN connection to download this application the first time. Client updates then occur automatically as needed whenever the user connects.
IPsec IKEv1—IP Security Protocol. Regarded as the most secure protocol, IPsec provides the most complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and Cisco VPN client-to-LAN connections can use IPsec IKEv1.
IPsec IKEv2—Supported by the AnyConnect Secure Mobility Client. AnyConnect connections using IPsec with IKEv2 provide advanced features such as software updates, client profiles, GUI localization (translation) and customization, Cisco Secure Desktop, and SCEP proxy.
L2TP over IPsec allows remote users with VPN clients provided with several common PC and mobile PC operating systems to establish secure connections over the public IP network to the ASA and private corporate networks.
If no protocol is selected, an error message appears.
||Specify which filter (IPv4 or IPv6) to use, or whether to inherit the value from the group policy.
Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the ASA, based on criteria such as source address, destination address, and protocol.
- To configure filters and rules, choose
- Click Manage to display the ACL Manager pane, on which you can add, edit, and delete ACLs and ACEs.
||Specify whether to inherit the Connection Profile (tunnel group) lock or to use the selected tunnel group lock, if any.
Selecting a specific lock restricts users to remote access through this group only. Tunnel Group Lock restricts users by checking if the group configured in the VPN client is the same as the users assigned group. If it is not, the ASA prevents the user from connecting. If the Inherit check box is not checked, the default value is None.
||Specify whether to inherit the Store Password on Client System setting from the group.
Uncheck the Inherit check box to activate the Yes and No radio buttons. Click Yes to store the login password on the client system (potentially a less-secure option). Click No (the default) to require the user to enter the password with each connection. For maximum security, we recommend that you not allow password storage.
||Configure Connection Settings.|
- Specify an Access Hours policy to apply to this user, create a new access hours policy for the user, or leave the Inherit box checked. The default value is Inherit, or, if the Inherit check box is not checked, the default value is Unrestricted.
Click Manage to open the Add Time Range dialog box, in which you can specify a new set of access hours.
- Specify the number of simultaneous logins by the user. The Simultaneous Logins parameter specifies the maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum value is 0, which disables login and prevents user access.
While there is no maximum limit, allowing several simultaneous connections could compromise security and affect performance.
- Specify the Maximum Connect Time for the VPN connection in minutes. At the end of this time, the system terminates the connection.
If the Inherit check box is not checked, this parameter specifies the maximum user connection time in minutes. The minimum is 1minute, and the maximum is 35791394 minutes (over 4000 years). To allow unlimited connection time, check Unlimited (default).
- Specify the Idle Timeout for the VPN connection in minutes. If there is no communication activity on the connection in this period, the system terminates the connection.
If the Inherit check box is not checked, this parameter specifies the idle timeout in minutes.The minimum time is 1 minute, the maximum time is 10080 minutes, and the default is 30 minutes. To allow unlimited connection time, check Unlimited.
||Configure Timeout Alerts. |
- Specify the Maximum Connection Time Alert Interval.
If you uncheck the Inherit check box, the Default check box is checked automatically. This sets the max connection alert interval to 30 minutes. If you want to specify a new value, uncheck Default and specify a session alert interval from 1 to 30 minutes.
- Specify the Idle Alert Interval.
If you uncheck the Inherit check box, the Default check box is checked automatically. This sets the idle alert interval to 30 minutes. If you want to specify a new value, uncheck Default and specify a session alert interval from 1 to 30 minutes.
||To set a dedicated IPv4 address for this user, enter an IPv4 address and subnet mask in the Dedicated IPv4 Address (Optional) area. |
||To set a dedicated IPv6 address for this user, enter an IPv6 address with an IPv6 prefix in the Dedicated IPv6 Address (Optional) area. The IPv6 prefix indicates the subnet on which the IPv6 address resides. |
||Configure specific Clientless SSL VPN or AnyConnect Client settings, by clicking on these options in the left-hand pane. To override each setting, uncheck the Inherit check box, and enter a new value. |
||Click OK to apply the changes to the running configuration. |