ASDM Book 3 ASA 5515X 71 Vpn Config

User Manual: ASA 5515X

Open the PDF directly: View PDF PDF.
Page Count: 460 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide.
Addresses, phone numbers, and fax numbers
are listed on the Cisco website at
www.cisco.com/go/offices.
Cisco ASA Series VPN ASDM
Configuration Guide
Software Version 7.1
For the ASA 5505, ASA 5510, ASA 5520, ASA 5540, ASA 5550, ASA 5512-X,
ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X,
and the ASA Services Module
Released: December 3, 2012
Updated: March 31, 2014
Text Part Number: N/A, Online only
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Cisco ASA Series VPN ASDM Configuration Guide
Copyright © 2012-2014 Cisco Systems, Inc. All rights reserved.
iii
Cisco ASA Series VPN ASDM Configuration Guide
CONTENTS
About This Guide i
Document Objectives i
Related Documentation i
Conventions ii
Obtaining Documentation and Submitting a Service Request ii
PART
1Configuring Site-to-Site and Client VPN
CHAPTER
2VPN Wizards 2-1
VPN Overview 2-1
IPsec IKEv1 Remote Access Wizard 2-2
Remote Access Client 2-2
VPN Client Authentication Method and Tunnel Group Name 2-3
Client Authentication 2-3
User Accounts 2-4
Address Pool 2-4
Attributes Pushed to Client (Optional) 2-4
IKE Policy 2-5
IPsec Settings (Optional) 2-6
Summary 2-6
IPsec Site-to-Site VPN Wizard 2-7
Peer Device Identification 2-7
Traffic to Protects 2-7
Security 2-7
NAT Excempt 2-8
Summary 2-8
AnyConnect VPN Wizard 2-9
Connection Profile Identification 2-9
VPN Protocols 2-9
Client Images 2-10
Authentication Methods 2-10
Client Address Assignment 2-10
Network Name Resolution Servers 2-11
NAT Exempt 2-11
Contents
iv
Cisco ASA Series VPN ASDM Configuration Guide
AnyConnect Client Deployment 2-11
Summary 2-11
Clientless SSL VPN Wizard 2-11
SSL VPN Interface 2-12
User Authentication 2-12
Group Policy 2-12
Bookmark List 2-13
Summary 2-13
CHAPTER
3Configuring IKE, Load Balancing, and NAC 3-1
Enabling IKE on an Interface 3-1
Setting IKE Parameters for Site-to-Site VPN 3-2
IKE Parmeters 3-2
NAT Transparency 3-2
Identity Sent to Peer 3-3
Session Control 3-3
IKE v2 Specific Settings 3-4
Creating IKE Policies 3-5
About IKE 3-5
Configuring IKE Policies 3-5
Adding an IKEv1 Policy 3-6
Adding an IKEv2 Policy 3-7
Assignment Policy 3-9
Configuring IPsec 3-9
Adding Crypto Maps 3-10
Creating an IPsec Rule/Tunnel Policy (Crypto Map) - Basic Tab 3-12
Creating IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab 3-13
Creating IPsec Rule/Traffic Selection Tab 3-15
Pre-Fragmentation 3-17
Edit IPsec Pre-Fragmentation Policy 3-18
IPsec Transform Sets 3-18
Add/Edit IPsec Proposal (Transform Set) 3-19
Add/Edit IPsec Proposal 3-19
Configuring Load Balancing 3-20
Creating Virtual Clusters 3-20
Geographical Load Balancing 3-21
Comparing Load Balancing to Failover 3-22
Load Balancing Licensing Requirements 3-22
Eligible Clients 3-22
Contents
v
Cisco ASA Series VPN ASDM Configuration Guide
Load Balancing Prerequisites 3-23
Certificate Verification 3-23
Configuring VPN Cluster Load Balancing with the High Availability and Scalability Wizard 3-23
Configuring Load Balancing (Without the Wizard) 3-25
Enable Clientless SSL VPN Load Balancing Using FQDNs 3-27
Setting Global NAC Parameters 3-27
Configuring Network Admission Control Policies 3-28
Add/Edit Posture Validation Exception 3-30
CHAPTER
4General VPN Setup 4-1
AnyConnect Customization/Localization 4-1
AnyConnect Customization/Localization > Resources 4-2
AnyConnect Customization/Localization > Binary and Script 4-2
AnyConnect Customization/Localization > GUI Text and Messages 4-3
AnyConnect Customization/Localization > Customized Installer Transforms 4-4
AnyConnect Customization/Localization > Localized Installer Transforms 4-4
Client Software 4-4
Edit Client Update Entry 4-6
Default Tunnel Gateway 4-6
Group Policies 4-7
Configuring External Group Policies 4-8
Adding an LDAP or RADIUS Server to a Network (Client) Access External Group Policy 4-9
Configuring Network (Client) Access Internal Group Policies 4-9
Configuring General Attributes for an Internal Group Policy 4-9
Configuring Server Attributes for an Internal Group Policy 4-12
Configuring Split Tunneling for AnyConnect Traffic 4-13
Configuring VPN Policy Attributes for a Local User 4-16
Configuring a Browser Proxy for an Internal Group Policy 4-18
Configuring General AnyConnect Client Attributes for an Internal Group Policy 4-19
IPsec (IKEv1) Client 4-23
Configuring IPsec (IKEv1) Client Client Firewall Attributes for an Internal Group Policy 4-25
Configuring IPsec (IKEv1) Client Hardware Client Attributes for an Internal Group Policy 4-26
Configuring Clientless SSL VPN Internal Group Policies 4-29
Configuring Clientless SSL VPN General Attributes for an Internal Group Policy 4-29
Configuring the Clientless SSL VPN Access Portal for an Internal Group Policy 4-31
Configuring Portal Customization for a Clientless SSL VPN Internal Group Policy 4-33
Configuring Login Settings for a Clientless SSL VPN Internal Group Policy 4-33
Configuring Single Signon and Auto Signon Servers for a Clientless SSL VPN Access Internal
Group Policy 4-33
Contents
vi
Cisco ASA Series VPN ASDM Configuration Guide
Configuring Session Settings for Clientless SSL VPN Access 4-33
Configuring Site-to-Site Internal Group Policies 4-33
Defining Time Ranges 4-35
Add/Edit Time Range 4-35
Add/Edit Recurring Time Range 4-36
Access Control List Manager 4-36
Standard Access Control List 4-37
Extended Access Control List 4-37
Add/Edit/Paste ACE 4-38
Browse Source/Destination Address 4-40
Browse Source/Destination Port 4-40
Add TCP Service Group 4-40
Browse ICMP 4-41
Add ICMP Group 4-41
Browse Other 4-42
Add Protocol Group 4-42
Client Firewall with Local Printer and Tethered Device Support 4-43
Add/Edit Standard Access List Rule 4-47
Add/Edit Server and URL List 4-47
Add/Edit Server or URL 4-48
Configuring AnyConnect VPN Client Connections 4-48
Using AnyConnect Client Profiles 4-51
Importing an AnyConnect Client Profile 4-52
Exporting an AnyConnect Client Profile 4-52
Exempting AnyConnect Traffic from Network Address Translation 4-52
Configuring AnyConnect VPN Connections 4-57
Specifying a Device Certificate 4-58
Configuring Port Settings 4-59
Setting the Basic Attributes for an AnyConnect VPN Connection 4-59
Setting Advanced Attributes for a Connection Profile 4-61
Setting General Attributes for an AnyConnect SSL VPN Connection 4-61
Setting Client Addressing Attributes for an AnyConnect SSL VPN Connection 4-63
Configuring Authentication Attributes for a Connection Profile 4-63
Configuring Secondary Authentication Attributes for an SSL VPN Connection Profile 4-64
Configuring Authorization Attributes for an SSL VPN Connection Profile 4-66
Adding or Editing Content to a Script for Certificate Pre-Fill-Username 4-67
Configuring AnyConnect Secure Mobility 4-69
Add or Edit MUS Access Control 4-71
Configuring Clientless SSL VPN Connections 4-71
Contents
vii
Cisco ASA Series VPN ASDM Configuration Guide
Add or Edit Clientless SSL VPN Connections 4-72
Add or Edit Clientless SSL VPN Connections > Basic 4-72
Add or Edit Clientless SSL VPN Connections > Advanced 4-73
Add or Edit Clientless SSL VPN Connections > Advanced > General 4-73
Add or Edit Clientless or SSL VPN Client Connection Profile or IPsec Connection Profiles> Advanced
> Authentication 4-74
Assign Authentication Server Group to Interface 4-74
Add or Edit SSL VPN Connections > Advanced > Authorization 4-74
Assign Authorization Server Group to Interface 4-75
Add or Edit SSL VPN Connections > Advanced > SSL VPN 4-75
Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN 4-76
Add or Edit Clientless SSL VPN Connections > Advanced > NetBIOS Servers 4-77
Configure DNS Server Groups 4-78
Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN 4-78
IPsec Remote Access Connection Profiles 4-78
Add or Edit an IPsec Remote Access Connection Profile 4-79
Add or Edit IPsec Remote Access Connection Profile Basic 4-79
Mapping Certificates to IPsec or SSL VPN Connection Profiles 4-80
Site-to-Site Connection Profiles 4-84
Add/Edit Site-to-Site Connection 4-85
Adding or Editing a Site-to-Site Tunnel Group 4-86
Crypto Map Entry 4-88
Crypto Map Entry for Static Peer Address 4-89
Managing CA Certificates 4-90
Install Certificate 4-90
Configure Options for CA Certificate 4-90
Revocation Check Dialog Box 4-90
Add/Edit Remote Access Connections > Advanced > General 4-91
Configuring Client Addressing 4-92
Add/Edit Connection Profile > General > Authentication 4-95
Add/Edit SSL VPN Connection > General > Authorization 4-95
Add/Edit SSL VPN Connections > Advanced > Accounting 4-96
Add/Edit Tunnel Group > General > Client Address Assignment 4-97
Add/Edit Tunnel Group > General > Advanced 4-97
Add/Edit Tunnel Group > IPsec for Remote Access > IPsec 4-98
Add/Edit Tunnel Group for Site-to-Site VPN 4-99
Add/Edit Tunnel Group > PPP 4-100
Add/Edit Tunnel Group > IPsec for LAN to LAN Access > General > Basic 4-100
Add/Edit Tunnel Group > IPsec for LAN to LAN Access > IPsec 4-102
Contents
viii
Cisco ASA Series VPN ASDM Configuration Guide
Clientless SSL VPN Access > Connection Profiles > Add/Edit > General > Basic 4-103
Configuring Internal Group Policy IPsec Client Attributes 4-104
Configuring Client Addressing for SSL VPN Connections 4-106
Assign Address Pools to Interface 4-106
Select Address Pools 4-106
Add or Edit an IP Address Pool 4-107
Authenticating SSL VPN Connections 4-107
System Options 4-107
Zone Labs Integrity Server 4-108
Easy VPN Remote 4-109
Advanced Easy VPN Properties 4-111
AnyConnect Essentials 4-113
DTLS Settings 4-113
AnyConnect VPN Client Images 4-114
Add/Replace AnyConnect VPN Client Image 4-114
Upload Image 4-115
Bypass Interface ACL 4-115
Configuring AnyConnect Host Scan 4-115
Host Scan Dependencies and System Requirements 4-116
Dependencies 4-116
System Requirements 4-116
Licensing 4-116
Entering an Activation Key to Support Advanced Endpoint Assessment 4-117
Host Scan Packaging 4-117
Installing and Enabling Host Scan on the ASA 4-117
Installing or Upgrading Host Scan 4-118
Enabling or Disabling Host Scan 4-119
Enabling or Disabling CSD on the ASA 4-119
Viewing the Host Scan Version Enabled on the ASA 4-120
Uninstalling Host Scan 4-120
Uninstalling CSD from the ASA 4-120
Assigning AnyConnect Posture Module to a Group Policy 4-121
Other Important Documentation Addressing Host Scan 4-121
Configuring Maximum VPN Sessions 4-122
Configuring the Pool of Cryptographic Cores 4-122
CHAPTER
5Configuring IP Addresses for VPNs 5-1
Configuring an IP Address Assignment Policy 5-1
Contents
ix
Cisco ASA Series VPN ASDM Configuration Guide
Configuring IP Address Assignment Options using ASDM 5-2
Viewing Address Assignment Methods 5-3
Viewing IPv4 and IPv6 Address Assignments using ASDM 5-3
Configuring Local IP Address Pools 5-3
Configuring Local IPv4 Address Pools Using ASDM 5-3
Configuring Local IPv6 Address Pools Using ASDM 5-4
Configuring DHCP Addressing 5-5
Assigning IP addresses using DHCP 5-5
Configure Your DHCP Servers 5-5
Assign the DHCP IP Addressing to a Group Policy 5-5
Assigning IP Addresses to Local Users 5-6
CHAPTER
6Configuring Dynamic Access Policies 6-1
Information About Dynamic Access Policies 6-1
DAP and Endpoint Security 6-2
DAP Support for Remote Access Connection Types 6-2
Remote Access Connection Sequence with DAPs 6-2
Licensing Requirements for Dynamic Access Policies 6-3
Advanced Endpoint Assessment license 6-3
SSL VPN license (client) 6-3
AnyConnect Mobile License 6-3
Dynamic Access Policies Interface 6-4
Configuring Dynamic Access Policies 6-6
Testing Dynamic Access Policies 6-8
DAP and Authentication, Authorization, and Accounting Services 6-9
Configuring AAA Attributes in a DAP 6-9
Retrieving Active Directory Groups 6-11
Configuring Endpoint Attributes Used in DAPs 6-13
Adding an Anti-Spyware or Anti-Virus Endpoint Attribute to a DAP 6-14
Adding an Application Attribute to a DAP 6-15
Adding Mobile Posture Attributes to a DAP 6-16
Adding a File Endpoint Attribute to a DAP 6-17
Adding a Device Endpoint Attribute to a DAP 6-18
Adding a NAC Endpoint Attribute to a DAP 6-19
Adding an Operating System Endpoint Attribute to a DAP 6-20
Adding a Personal Firewall Endpoint Attribute to a DAP 6-20
Adding a Policy Endpoint Attribute to a DAP 6-21
Adding a Process Endpoint Attribute to a DAP 6-22
Contents
x
Cisco ASA Series VPN ASDM Configuration Guide
Adding a Registry Endpoint Attribute to a DAP 6-23
DAP and AntiVirus, AntiSpyware, and Personal Firewall Programs 6-24
Endpoint Attribute Definitions 6-24
Configuring DAP Access and Authorization Policy Attributes 6-27
Performing a DAP Trace 6-31
Guide to Creating DAP Logical Expressions using LUA 6-31
Syntax for Creating Lua EVAL Expressions 6-32
The DAP CheckAndMsg Function 6-33
Additional Lua Functions 6-35
CheckAndMsg with Custom Function Example 6-38
Further Information on Lua 6-38
Operator for Endpoint Category 6-38
DAP Examples 6-38
CHAPTER
7E-Mail Proxy 7-1
Configuring E-Mail Proxy 7-1
AAA 7-2
POP3S Tab 7-2
IMAP4S Tab 7-4
SMTPS Tab 7-5
Access 7-7
Edit E-Mail Proxy Access 7-8
Authentication 7-8
Default Servers 7-10
Delimiters 7-11
CHAPTER
8Monitoring VPN 8-1
VPN Connection Graphs 8-1
IPsec Tunnels 8-1
Sessions 8-2
VPN Statistics 8-2
Sessions Window 8-2
Viewing Active AnyConnect Sessions 8-5
Viewing VPN Sessions Details 8-6
Cluster Loads 8-8
Crypto Statistics 8-9
Compression Statistics 8-9
Encryption Statistics 8-9
Contents
xi
Cisco ASA Series VPN ASDM Configuration Guide
Global IKE/IPsec Statistics 8-10
NAC Session Summary 8-10
Protocol Statistics 8-11
VLAN Mapping Sessions 8-11
SSO Statistics for Clientless SSL VPN Session 8-11
VPN Connection Status for the Easy VPN Client 8-13
CHAPTER
9Configuring SSL Settings 9-1
SSL Settings 9-1
SSL 9-2
CHAPTER
10 Configuring an External Server for Authorization and Authentication 10-1
Understanding Policy Enforcement of Authorization Attributes 10-1
Defining the ASA LDAP Configuration 10-2
Guidelines 10-2
Active Directory/LDAP VPN Remote Access Authorization Examples 10-2
User-Based Attributes Policy Enforcement 10-3
Placing LDAP Users in a Specific Group Policy 10-5
Enforcing Static IP Address Assignment for AnyConnect Tunnels 10-7
Enforcing Dial-in Allow or Deny Access 10-9
Enforcing Logon Hours and Time-of-Day Rules 10-12
Example of Creating a Group Policy for a Local User 10-13
PART
2Configuring a Clientless SSL VPN
CHAPTER
11 Introduction to Clientless SSL VPN 11-1
Introduction to Clientless SSL VPN 11-1
Prerequisites 11-2
Guidelines and Limitations 11-2
CHAPTER
12 Basic Clientless SSL VPN Configuration 12-1
Clientless SSL VPN Security Precautions 12-1
Configuring Clientless SSL VPN Access 12-2
Verifying Clientless SSL VPN Server Certificates 12-3
Java Code Signer 12-6
Configuring Browser Access to Plug-ins 12-7
Preparing the Security Appliance for a Plug-in 12-8
Installing Plug-ins Redistributed by Cisco 12-8
Contents
xii
Cisco ASA Series VPN ASDM Configuration Guide
Providing Access to a Citrix XenApp Server 12-10
Preparing the Citrix XenApp Server for Clientless SSL VPN Access 12-10
Creating and Installing the Citrix Plug-in 12-11
Configuring Port Forwarding 12-11
Information About Port Forwarding 12-12
Configuring DNS for Port Forwarding 12-13
Making Applications Eligible for Port Forwarding 12-16
Adding/Editing a Port Forwarding Entry 12-16
Assigning a Port Forwarding List 12-16
Enabling and Switching off Port Forwarding 12-17
Configuring File Access 12-17
CIFS File Access Requirement and Limitation 12-18
Adding Support for File Access 12-18
Ensuring Clock Accuracy for SharePoint Access 12-18
Virtual Desktop Infrastructure (VDI) 12-19
Citrix Mobile Support 12-19
Supported Mobile Devices 12-19
Limitations 12-19
About Citrix Mobile Receiver User Logon 12-20
Configuring the ASA to Proxy a Citrix Server 12-20
Configuring a VDI Server 12-20
Configuring a VDI Proxy Server 12-21
Assigning a VDI Server to a Group Policy 12-21
Configuring ACLs 12-22
Adding or Editing ACEs 12-23
Configuration Examples for ACLs for Clientless SSL VPN 12-24
Configuring Browser Access to Client-Server Plug-ins 12-24
About Installing Browser Plug-ins 12-24
RDP Plug-in ActiveX Debug Quick Reference 12-26
Preparing the Security Appliance for a Plug-in 12-26
CHAPTER
13 Advanced Clientless SSL VPN Configuration 13-1
Microsoft Kerberos Constrained Delegation Solution 13-1
Requirements 13-1
Understanding How KCD Works 13-2
Authentication Flow with KCD 13-2
Adding a Windows Service Account in Active Directory 13-4
Configuring DNS for KCD 13-4
Configuring the ASA to Join the Active Directory Domain 13-5
Contents
xiii
Cisco ASA Series VPN ASDM Configuration Guide
Configuring the Use of External Proxy Servers 13-7
SSO Servers 13-8
Configuring SiteMinder and SAML Browser Post Profile 13-8
Adding the Cisco Authentication Scheme to SiteMinder 13-10
Adding or Editing SSO Servers 13-10
Configuring Kerberos Server Groups 13-11
Configuring Bookmarks to Access the Kerberos Authenticated Services 13-13
Configuring Application Profile Customization Framework 13-13
Restrictions 13-13
Managing APCF Profiles 13-13
Uploading APCF Packages 13-14
Managing APCF Packets 13-14
APCF Syntax 13-15
Configuring Session Settings 13-18
Encoding 13-19
Content Cache 13-20
Content Rewrite 13-21
Configuration Example for Content Rewrite Rules 13-22
Using Email over Clientless SSL VPN 13-23
Configuring Email Proxies 13-23
Configuring Web email: MS Outlook Web App 13-23
Configuring Bookmarks 13-23
Adding a Bookmark for a URL with a GET or Post Method 13-24
Adding a URL for a Predefined Application Template 13-26
Adding a Bookmark for an Auto Sign-On Application 13-27
Importing and Exporting a Bookmark List 13-28
Importing and Exporting GUI Customization Objects (Web Contents) 13-29
Adding and Editing Post Parameters 13-29
Configuration Example for Setting a Bookmark or URL Entry 13-31
Configuration Example for Configuring File Share (CIFS) URL Substitutions 13-31
Customizing External Ports 13-32
CHAPTER
14 Configuring Policy Groups 14-1
Configuring Smart Tunnel Access 14-1
Configuring Smart Tunnel Access 14-1
About Smart Tunnels 14-1
Why Smart Tunnels? 14-2
Configuring a Smart Tunnel (Lotus Example) 14-3
Simplifying Configuration of Which Applications to Tunnel 14-4
Contents
xiv
Cisco ASA Series VPN ASDM Configuration Guide
Adding Applications to Be Eligible for Smart Tunnel Access 14-5
About Smart Tunnel Lists 14-7
Creating a Smart Tunnel Auto Sign-On Server List 14-8
Adding Servers to a Smart Tunnel Auto Sign-On Server List 14-8
Enabling and Switching Off Smart Tunnel Access 14-9
Configuring Smart Tunnel Log Off 14-10
When Its Parent Process Terminates 14-10
With a Notification Icon 14-10
Using Proxy Bypass 14-11
Configuring Portal Access Rules 14-11
CHAPTER
15 Clientless SSL VPN Remote Users 15-1
Requiring Usernames and Passwords 15-1
Communicating Security Tips 15-2
Configuring Remote Systems to Use Clientless SSL VPN Features 15-2
Capturing Clientless SSL VPN Data 15-7
Creating a Capture File 15-8
Using a Browser to Display Capture Data 15-8
CHAPTER
16 Configuring Clientless SSL VPN Users 16-1
Overview 16-1
Defining the End User Interface 16-1
Viewing the Clientless SSL VPN Home Page 16-2
Viewing the Clientless SSL VPN Application Access Panel 16-2
Viewing the Floating Toolbar 16-3
Managing Passwords 16-4
Adding the Cisco Authentication Scheme to SiteMinder 16-5
Configuring the SAML POST SSO Server 16-5
Configuring SSO with the HTTP Form Protocol 16-6
Gathering HTTP Form Data 16-7
Using Auto Sign-On 16-10
Requiring Usernames and Passwords 16-12
Communicating Security Tips 16-12
Configuring Remote Systems to Use Clientless SSL VPN Features 16-12
Starting Clientless SSL VPN 16-13
Using the Clientless SSL VPN Floating Toolbar 16-13
Browsing the Web 16-14
Browsing the Network (File Management) 16-14
Contents
xv
Cisco ASA Series VPN ASDM Configuration Guide
Using the Remote File Explorer 16-15
Using Port Forwarding 16-16
Using email Via Port Forwarding 16-18
Using email Via Web Access 16-18
Using email Via email Proxy 16-18
Using Smart Tunnel 16-19
CHAPTER
17 Using Clientless SSL VPN with Mobile Devices 17-1
Using Clientless SSL VPN with Mobile Devices 17-1
Restrictions 17-1
CHAPTER
18 Customizing Clientless SSL VPN 18-1
Customizing the Clientless SSL VPN User Experience 18-1
Customizing the Logon Page with the Customization Editor 18-1
Replacing the Logon Page with your own Fully Customized Page 18-3
Creating the Custom Login Screen File 18-4
Importing the File and Images 18-5
Configuring the Security Appliance to use the Custom Login Screen 18-5
Clientless SSL VPN End User Setup 18-6
Defining the End User Interface 18-6
Viewing the Clientless SSL VPN Home Page 18-7
Viewing the Clientless SSL VPN Application Access Panel 18-7
Viewing the Floating Toolbar 18-7
Customizing Clientless SSL VPN Pages 18-8
Information About Customization 18-9
Exporting a Customization Template 18-9
Editing the Customization Template 18-9
Login Screen Advanced Customization 18-15
Modifying Your HTML File 18-17
Customizing the Portal Page 18-18
Configuring Custom Portal Timeout Alerts 18-19
Specifying a Custom Timeout Alert in a Customization Object File 18-19
Customizing the Logout Page 18-20
Customizing the External Portal Page 18-21
Adding Customization Object 18-21
Importing/Exporting Customization Object 18-22
Creating XML-Based Portal Customization Objects and URL Lists 18-22
Understanding the XML Customization File Structure 18-23
Configuration Example for Customization 18-26
Contents
xvi
Cisco ASA Series VPN ASDM Configuration Guide
Using the Customization Template 18-29
The Customization Template 18-29
Help Customization 18-41
Customizing a Help File Provided by Cisco 18-42
Creating Help Files for Languages Not Provided by Cisco 18-43
Import/Export Application Help Content 18-44
Customizing a Help File Provided by Cisco 18-45
Creating Help Files for Languages Not Provided by Cisco 18-46
Customizing Bookmark Help 18-46
Customizing a Help File Provided By Cisco 18-47
Creating Help Files for Languages Not Provided by Cisco 18-48
Translating the Language of User Messages 18-48
Understanding Language Translation 18-48
Editing a Translation Table 18-49
Adding a Translation Table 18-50
Importing/Exporting Language Localization 18-50
CHAPTER
19 Clientless SSL VPN Troubleshooting 19-1
Closing Application Access to Prevent hosts File Errors 19-1
Recovering from Hosts File Errors When Using Application Access 19-1
Understanding the hosts File 19-2
Stopping Application Access Improperly 19-2
Reconfiguring a Host’s File Automatically Using Clientless SSL VPN 19-2
Reconfiguring hosts File Manually 19-3
Sending an Administrator’s Alert to Clientless SSL VPN Users 19-4
CHAPTER
20 Clientless SSL VPN Licensing 20-1
Licensing 20-1
I
NDEX
1
Cisco ASA Series VPN ASDM Configuration Guide
About This Guide
This preface introduces Cisco ASA Series VPN ASDM Configuration Guide and includes the following
sections:
Document Objectives, page 1
Related Documentation, page 1
Conventions, page 2
Obtaining Documentation and Submitting a Service Request, page 2
Document Objectives
The purpose of this guide is to help you configure VPN on the ASA using ASDM. This guide does not
cover every feature, but describes only the most common configuration scenarios.
This guide applies to the Cisco ASA series. Throughout this guide, the term “ASA” applies generically
to supported models, unless specified otherwise.
Note ASDM supports many ASA versions. The ASDM documentation and online help includes all of the
latest features supported by the ASA. If you are running an older version of ASA software, the
documentation might include features that are not supported in your version. Similarly, if a feature was
added into a maintenance release for an older major or minor version, then the ASDM documentation
includes the new feature even though that feature might not be available in all later ASA releases. Please
refer to the feature history table for each chapter to determine when features were added. For the
minimum supported version of ASDM for each ASA version, see Cisco ASA Series Compatibility.
Related Documentation
For more information, see Navigating the Cisco ASA Series Documentation at
http://www.cisco.com/go/asadocs.
2
Cisco ASA Series VPN ASDM Configuration Guide
Conventions
This document uses the following conventions:
Note Means reader take note.
Tip Means the following information will help you solve a problem.
Caution Means reader be careful. In this situation, you might perform an action that could result in equipment
damage or loss of data.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a
service request, and gathering additional information, see Whats New in Cisco Product Documentation
at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised
Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a
reader application. The RSS feeds are a free service.
Convention Indication
bold font Commands and keywords and user-entered text appear in bold font.
italic font Document titles, new or emphasized terms, and arguments for which you supply
values are in italic font.
[ ] Elements in square brackets are optional.
{x | y | z } Required alternative keywords are grouped in braces and separated by
vertical bars.
[ x | y | z ] Optional alternative keywords are grouped in brackets and separated by
vertical bars.
string A nonquoted set of characters. Do not use quotation marks around the string or
the string will include the quotation marks.
courier font Terminal sessions and information the system displays appear in courier font.
courier bold font Commands and keywords and user-entered text appear in bold courier font.
courier italic font Arguments for which you supply values are in courier italic font.
< > Nonprinting characters such as passwords are in angle brackets.
[ ] Default responses to system prompts are in square brackets.
!, # An exclamation point (!) or a pound sign (#) at the beginning of a line of code
indicates a comment line.
P
ART
1
Configuring Site-to-Site and Client VPN
CHAPTER
2-1
Cisco ASA Series VPN ASDM Configuration Guide
2
VPN Wizards
The ASA provides Secure Socket Layer (SSL) remote access connectivity from almost any
Internet-enabled location using only a Web browser and its native SSL encryption. Clientless,
browser-based VPN lets users establish a secure, remote-access VPN tunnel to the adaptive security
appliance using a web browser. After authentication, users access a portal page and can access specific,
supported internal resources. The network administrator provides access to resources by users on a group
basis. Users have no direct access to resources on the internal network.
The Cisco AnyConnect VPN client provides secure SSL connections to the ASA for remote users with
full VPN tunneling to corporate resources. Without a previously-installed client, remote users enter the
IP address in their browser of an interface configured to accept clientless VPN connections. The ASA
downloads the client that matches the operating system of the remote computer. After downloading, the
client installs and configures itself, establishes a secure connection and either remains or uninstalls itself
(depending on the ASA configuration) when the connection terminates. In the case of a previously
installed client, when the user authenticates, the ASA examines the revision of the client and upgrades
the client as necessary.
With the addition of IKEv2 support in release 8.4, the end user can have the same experience
independent of the tunneling protocol used by the AnyConnect client session. This addition allows other
vendors’ VPN clients to connect to the ASAs. This support enhances security and complies with the
IPsec remote access requirements defined in federal and public sector mandates.
The VPN wizard lets you configure basic LAN-to-LAN and remote access VPN connections and assign
either preshared keys or digital certificates for authentication. Use ASDM to edit and configure advanced
features.
VPN Overview
The ASA creates a Virtual Private Network by creating a secure connection across a TCP/IP network
(such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections
and LAN-to-LAN connections.
For LAN-to-LAN connections using both IPv4 and IPv6 addressing, the security appliance supports
VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks
have matching addressing schemes (both IPv4 or both IPv6). This is also true if both peer inside
networks are IPv6 and the outside network is IPv6.
The secure connection is called a tunnel, and the ASA uses tunneling protocols to negotiate security
parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel,
and unencapsulate them. The ASA functions as a bidirectional tunnel endpoint: it can receive plain
2-2
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
IPsec IKEv1 Remote Access Wizard
packets, encapsulate them, and send them to the other end of the tunnel where they are unencapsulated
and sent to their final destination. It can also receive encapsulated packets, unencapsulate them, and send
them to their final destination.
The four VPN wizards described in this section are as follows:
IPsec IKEv1 Remote Access Wizard
IPsec Site-to-Site VPN Wizard
AnyConnect VPN Wizard
Clientless SSL VPN Wizard
IPsec IKEv1 Remote Access Wizard
Use the IKEv1 Remote Access Wizard to configuresecure remote access for VPN clients, such as mobile
users, and to identify the interface that connects to the remote IPsec peer.
Fields
VPN Tunnel Interface—Choose the interface that establishes a secure tunnel with the remote IPsec
peer. If the ASA has multiple interfaces, you need to plan the VPN configuration before running this
wizard, identifying the interface to use for each remote IPsec peer with which you plan to establish
a secure connection.
Enable inbound IPsec sessions to bypass interface access lists—Enable IPsec authenticated inbound
sessions to always be permitted through the security appliance (that is, without a check of the
interface access-list statements). Be aware that the inbound sessions bypass only the interface ACLs.
Configured group-policy, user, and downloaded ACLs still apply.
Remote Access Client
Remote access users of various types can open VPN tunnels to this ASA. Choose the type of VPN client
for this tunnel.
Fields
VPN Client Type
Cisco VPN Client, Release 3.x or higher, or an Easy VPN Remote product.
Microsoft Windows client using L2TP over IPsec—Specify the PPP authentication protocol.
The choices are PAP, CHAP, MS-CHAP-V1, MS-CHAP-V2, and EAP-PROXY:
PAP—Passes cleartext username and password during authentication and is not secure.
CHAP—In response to the server challenge, the client returns the encrypted [challenge plus
password] with a cleartext username. This protocol is more secure than the PAP, but it does not
encrypt data.
MS-CHAP, Version 1—Similar to CHAP but more secure in that the server stores and compares
only encrypted passwords rather than cleartext passwords as in CHAP.
MS-CHAP, Version 2—Contains security enhancements over MS-CHAP, Version 1.
EAP-Proxy—Enables EAP which permits the ASA to proxy the PPP authentication process to
an external RADIUS authentication server.
If a protocol is not specified on the remote client, do no specify it.
2-3
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
IPsec IKEv1 Remote Access Wizard
Specify if the client will send tunnel group name as username@tunnelgroup.
VPN Client Authentication Method and Tunnel Group Name
Use the VPN Client Authentication Method and Name pane to configure an authentication method and
create a connection policy (tunnel group).
Fields
Authentication Method—The remote site peer authenticates either with a preshared key or a
certificate.
Pre-shared Key—Click to use a preshared key for authentication between the local ASA and the
remote IPsec peer.
Using a preshared key is a quick and easy way to set up communication with a limited number
of remote peers and a stable network. It may cause scalability problems in a large network
because each IPsec peer requires configuration information for each peer with which it
establishes secure connections.
Each pair of IPsec peers must exchange preshared keys to establish secure tunnels. Use a secure
method to exchange the preshared key with the administrator of the remote site.
Pre-shared Key—Type an alphanumeric string between 1 and 128 characters.
Certificate—Click to use certificates for authentication between the local ASA and the remote
IPsec peer. To complete this section, you must have previously enrolled with a CA and
downloaded one or more certificates to the ASA.
You can efficiently manage the security keys used to establish an IPsec tunnel with digital
certificates. A digital certificate contains information that identifies a user or device, such as a
name, serial number, company, department or IP address. A digital certificate also contains a
copy of the public key.
To use digital certificates, each peer enrolls with a certification authority (CA), which is
responsible for issuing digital certificates. A CA can be a trusted vendor or a private CA that
you establish within an organization.
When two peers want to communicate, they exchange certificates and digitally sign data to
authenticate each other. When you add a new peer to the network, it enrolls with a CA, and none
of the other peers require additional configuration.
Certificate Signing Algorithm—Displays the algorithm for signing digital certificates, rsa-sig
for RSA.
Challenge/response authentication (CRACK)—Provides strong mutual authentication when the
client authenticates using a popular method such as RADIUS and the server uses public key
authentication. The security appliance supports CRACK as an IKE option in order to
authenticate the Nokia VPN Client on Nokia 92xx Communicator Series devices.
Tunnel Group Name—Type a name to create the record that contains tunnel connection policies for
this IPsec connection. A connection policy can specify authentication, authorization, and accounting
servers, a default group policy, and IKE attributes. A connection policy that you configure with this
VPN wizard specifies an authentication method and uses the ASA Default Group Policy.
Client Authentication
Use the Client Authentication pane to select the method by which the ASA authenticates remote users.
2-4
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
IPsec IKEv1 Remote Access Wizard
Fields
Select one of the following options:
Authenticate using the local user database—Click to use authentication internal to the ASA. Use this
method for environments with a small, stable number of users. The next pane lets you create
accounts on the ASA for individual users.
Authenticate using an AAA server group—Click to use an external server group for remote user
authentication.
AAA Server Group Name—Choose a AAA server group configured previously.
New...—Click to configure a new AAA server group.
User Accounts
Use the User Accounts pane to add new users to the ASA internal user database for authentication
purposes.
Fields
Use the fields in this section to add a user.
Username—Enter the username.
Password—(Optional) Enter a password.
Confirm Password—(Optional) Reenter the password.
Add—Click to add a user to the database after you have entered the username and optional
password.
Delete—To remove a user from the database, highlight the appropriate username and click Delete.
Address Pool
Use the Address Pool pane to configure a pool of local IP addresses that the ASA assigns to remote VPN
clients.
Fields
Tunnel Group Name—Displays the name of the connection profile (tunnel group) to which this
address pool applies. You set this name in the VPN Client and Authentication Method pane (step 3).
Pool Name—Select a descriptive identifier for the address pool.
New...—Click to configure a new address pool.
Range Start Address—Type the starting IP address in the address pool.
Range End Address—Type the ending IP address in the address pool.
Subnet Mask—(Optional) Choose the subnet mask for these IP addresses.
Attributes Pushed to Client (Optional)
Use the Attributes Pushed to Client (Optional) pane to have the ASA pass information about DNS and
WINS servers and the default domain name to remote access clients.
2-5
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
IPsec IKEv1 Remote Access Wizard
Fields
Tunnel Group—Displays the name of the connection policy to which the address pool applies. You
set this name in the VPN Client Name and Authentication Method pane.
Primary DNS Server—Type the IP address of the primary DNS server.
Secondary DNS Server—Type the IP address of the secondary DNS server.
Primary WINS Server—Type the IP address of the primary WINS server.
Secondary WINS Server— Type the IP address of the secondary WINS server.
Default Domain Name—Type the default domain name.
IKE Policy
IKE, also called Internet Security Association and Key Management Protocol (ISAKMP), is the
negotiation protocol that lets two hosts agree on how to build an IPsec Security Association. Each IKE
negotiation is divided into two sections called Phase1 and Phase 2.
Phase 1 creates the first tunnel, which protects later IKE negotiation messages.
Phase 2 creates the tunnel that protects data.
Use the IKE Policy pane to set the terms of the Phase 1 IKE negotiations, which include the following:
An encryption method to protect the data and ensure privacy.
An authentication method to ensure the identity of the peers.
A Diffie-Hellman group to establish the strength of the of the encryption-key-determination
algorithm. The ASA uses this algorithm to derive the encryption and hash keys.
Fields
Encryption—Select the symmetric encryption algorithm the ASA uses to establish the Phase 1 SA
that protects Phase 2 negotiations. The ASA supports the following encryption algorithms:
The default, 3DES, is more secure than DES but requires more processing for encryption and
decryption. Similarly, the AES options provide increased security but also require increased
processing.
Authentication—Choose the hash algorithm used for authentication and ensuring data integrity. The
default is SHA. MD5 has a smaller digest and is considered to be slightly faster than SHA. There
has been a demonstrated successful (but extremely difficult) attack against MD5. However, the
Keyed-Hash Message Authentication Code (HMAC) version used by the ASA prevents this attack.
Diffie-Hellman Group—Choose the Diffie-Hellman group identifier, which the two IPsec peers use
to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit
Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).
Algorithm Explanation
DES Data Encryption Standard. Uses a 56-bit key.
3DES Triple DES. Performs encryption three times using a 56-bit key.
AES-128 Advanced Encryption Standard. Uses a 128-bit key.
AES-192 AES using a 192-bit key.
AES-256 AES using a 256-bit key.
2-6
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
IPsec IKEv1 Remote Access Wizard
Note The default value for the VPN 3000 Series Concentrator is MD5. A connection between the ASA and
the VPN Concentrator requires that the authentication method for Phase I and II IKE negotiations be the
same on both sides of the connection.
IPsec Settings (Optional)
Use the IPsec Settings (Optional) pane to identify local hosts/networks which do not require address
translation. By default, the ASA hides the real IP addresses of internal hosts and networks from outside
hosts by using dynamic or static Network Address Translation (NAT). NAT minimizes risks of attack by
untrusted outside hosts but may be improper for those who have been authenticated and protected by
VPN.
For example, an inside host using dynamic NAT has its IP address translated by matching it to a
randomly selected address from a pool. Only the translated address is visible to the outside. Remote VPN
clients that attempt to reach these hosts by sending data to their real IP addresses cannot connect to these
hosts, unless you configure a NAT exemption rule.
Note If you want all hosts and networks to be exempt from NAT, configure nothing on this pane. If you have
even one entry, all other hosts and networks are subject to NAT.
Fields
Interface—Choose the name of the interface that connects to the hosts or networks you have
selected.
Exempt Networks—Select the IP address of the host or network that you want to exempt from the
chosen interface network.
Enable split tunneling—Select to have traffic from remote access clients destined for the public
Internet sent unencrypted. Split tunneling causes traffic for protected networks to be encrypted,
while traffic to unprotected networks is unencrypted. When you enable split tunneling, the ASA
pushes a list of IP addresses to the remote VPN client after authentication. The remote VPN client
encrypts traffic to the IP addresses that are behind the ASA. All other traffic travels unencrypted
directly to the Internet without involving the ASA.
Enable Perfect Forwarding Secrecy (PFS)—Specify whether to use Perfect Forward Secrecy, and the
size of the numbers to use, in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each
new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys
unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys.
PFS ensures that a session key derived from a set of long-term public and private keys is not
compromised if one of the private keys is compromised in the future.
PFS must be enabled on both sides of the connection.
Diffie-Hellman Group—Select the Diffie-Hellman group identifier, which the two IPsec peers
use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit
Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).
Summary
The Summary pane displays all of the attributes of this VPN LAN-to-LAN connection as configured.
2-7
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
IPsec Site-to-Site VPN Wizard
Fields
Back—To make changes, click Back until you reach the appropriate pane.
Finish—When you are satisfied with the configuration, click Finish. ASDM saves the LAN-to-LAN
configuration. After you click Finish, you can no longer use the VPN wizard to make changes to this
configuration. Use ASDM to edit and configure advanced features.
Cancel—To remove the configuration, click Cancel.
IPsec Site-to-Site VPN Wizard
Use this wizard to set up new site-to-site VPN tunnels. A tunnel between two devices is called a
site-to-site tunnel and is bidirectional. A site-to-site VPN tunnel protects the data using the IPsec
protocol.
Peer Device Identification
Identify the peer VPN device by its IP address and the interface used to access the peer.
Fields
Peer IP Address—Configure the IP address of the other site (peer device).
VPN Access Interface—Select the interface to use for the site-to-site tunnel.
IKEv2
Traffic to Protects
This step lets you identify the local network and remote network These networks protect the traffic using
IPsec encryption.
Fields
Local Networks—Identify the host used in the IPsec tunnel.
Remote Networks—Identify the networks used in the IPsec tunnel.
Security
This step lets you configure the methods to authenticate with the peer device. You can either choose the
simple configuration, and supply a pre-shared key. Or you can select Customized Configuration for more
advanced options, which are described below.
Authentication Tab
IKE version 1
Pre-shared Key—Using a preshared key is a quick and easy way to set up communication with a
limited number of remote peers and a stable network. It may cause scalability problems in a large
network because each IPsec peer requires configuration information for each peer with which it
establishes secure connections.
2-8
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
IPsec Site-to-Site VPN Wizard
Each pair of IPsec peers must exchange preshared keys to establish secure tunnels. Use a secure
method to exchange the preshared key with the administrator of the remote site.
Device Certificate—Click to use certificates for authentication between the local ASA and the
remote IPsec peer.
You can efficiently manage the security keys used to establish an IPsec tunnel with digital
certificates. A digital certificate contains information that identifies a user or device, such as a name,
serial number, company, department or IP address. A digital certificate also contains a copy of the
public key.
When two peers want to communicate, they exchange certificates and digitally sign data to
authenticate each other. When you add a new peer to the network, it enrolls with a CA, and none of
the other peers require additional configuration.
IKE version 2
Local Pre-shared Key—Specify IPsec IKEv2 authentication methods and encryption algorithms.
Local Device Certificate—Authenticates VPN access through the security appliance.
Remote Peer Pre-shared Key—Click to use a preshared key for authentication between the local
ASA and the remote IPsec peer.
Remote Peer Certificate Authentication—When checked, the peer device is allowed to use the
certificate to authenticate itself to this device.
Encryption Algorithm
This tab lets you select the types of encryption algorithms used to protect the data.
IKE version 1
IKE Policy—Specify IKEv1 authentication methods.
IPsec Proposal—Specify IPsec encryption algorithms.
IKE version 2
IKE Policy—Specify IKEv2 authentication methods.
IPsec Proposal—Specify IPsec encryption algorithms.
NAT Excempt
Fields
Exempt ASA side host/network from address translation—Use the drop-down to choose a host or
network to be excluded from address translation.
Summary
Provides a summary of your selections from the previous wizard windows. The supported VPN protocols
are included in the summary as well as the IKE version chosen on the VPN Connection Type window.
2-9
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
AnyConnect VPN Wizard
AnyConnect VPN Wizard
Use this wizard to configure ASA to accept VPN connections from the AnyConnect VPN client. This
wizard configures either IPsec (IKEv2) or SSL VPN protocols for full network access. The ASA
automatically uploads the AnyConnect VPN client to the end user’s device when a VPN connection is
established.
Warn the user that running the wizard does not mean the IKEv2 profile automatically applies in
predeployment scenarios. Either provide a pointer or the steps necessary to successfully predeploy
IKEv2.
Connection Profile Identification
The connection profile identification is used to identify the ASA to the remote acess users.
Fields
Connection Profile Name—Provide a name that the remote access users will access for VPN
connections.
VPN Access Interface—Choose an interface that the remote access users will access for VPN
connections.
VPN Protocols
Specify the VPN protocol allowed for this connection profile.
The AnyConnect client defaults to SSL. If you enable IPsec as a VPN tunnel protocol for the connection
profile, you must also create and deploy a client profile with IPsec enabled using the profile editor from
ASDM, and deploy the profile.
If you predeploy instead of weblaunch the AnyConnect client, the first client connection uses SSL, and
receives the client profile from the ASA during the session. For subsequent connections, the client uses
the protocol specified in the profile, either SSL or IPsec. If you predeploy the profile with IPsec specified
with the client, the first client connection uses IPsec. For more information about predeploying a client
profile with IPsec enabled, see the AnyConnect Secure Mobility Client Administrator Guide.
Fields
SSL
IPsec (IKE v2)
Device Certificate—Identifies the ASA to the remote access clients.
Note Some AnyConnect features (such as always on, IPsec/IKEv2) require a valid device
certificate on the ASA.
Manage—Choosing Manage opens the Manage Identity Certificates window.
Add—Choose Add to add an identity certificate and its details.
Show Details—If you choose a particular certificate and click Show Details, the Certificate
Details window appears and provides who the certificate was issued to and issued by, as well as
specifics about its serial number, usage, associated trustpoints, valid timeframe, and so on.
2-10
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
AnyConnect VPN Wizard
Delete—Highlight the certificate you want to remove and click Delete.
Export—Highlight the certificate and click Export to export the certificate to a file with or
without an encryption passphrase.
Enroll ASA SSL VPN with Entrust—Gets your Cisco ASA SSL VPN appliance up and running
quickly with an SSL Advantage digitial certificate from Entrust.
Client Images
ASA can automatically upload the latest AnyConnect package to the client device when it accesses the
enterprise network. You can use a regular expression to match the user agent of a browser to an image.
You can also minimize connection setup time by moving the most commonly encountered operation
system to the top of the list.
Fields
Add
Replace
Delete
Authentication Methods
Specify authentication information on this screen.
Fields
AAA server group—Enable to let the ASA contact a remote AAA server group to authenticate the
user. Select a AAA server group from the list of pre-configured groups or click New to create a new
group.
Local User Database Details—Add new users to the local database stored on the ASA.
Username—Create a username for the user.
Password—Create a password for the user.
Confirm Password—Re-type the same password to confirm.
Add/Delete—Add or delete the user from the local database.
Client Address Assignment
Provide a range of IP addresses to remote SSL VPN users.
Fields
IPv4 Address Pools—SSL VPN clients receive new IP addresses when they connect to the ASA.
Clientless connections do not require new IP addresses. Address Pools define a range of addresses
that remote clients can receive. Select an existing IP Address Pool or click New to create a new pool.
If you select New, you will have to provide a starting and ending IP address and subnet mask.
IPv6 Address Pool—Select an existing IP Address Pool or click New to create a new pool.
2-11
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
Clientless SSL VPN Wizard
Note IPv6 address pools can not be created for IKEv2 connection profiles.
Network Name Resolution Servers
This step lets you specify which domain names are resolved for the remote user when accessing the
internal network.
Fields
DNS Servers—Enter the IP address of the DNS server.
WINS Servers—Enter the IP address of the WINS server.
Domain Name—Type the default domain name.
NAT Exempt
If network translation is enabled on the ASA, the VPN traffic must be exempt from this translation.
Fields
Exempt VPN traffic from network address translation
AnyConnect Client Deployment
You can install the AnyConnect client program to a client device with one of the following two methods:
Web launch—Installs automatically when accessing the ASA using a web browser.
Pre-deployment—Manually installs the AnyConnect client package.
Fields
Allow Web Launch—A global setting that affects all connections. If it is unchecked (disallowed),
AnyConnect SSL connections and clientless SSL connections do not work.
For pre-deployment, the disk0:/test2_client_profile.xml profile bundle contains an .msi file, and you
must include this client profile from the ASA in your AnyConnect package to ensure IPsec connection
functions as expected.
Summary
Provides a summary of your selections from the previous wizard windows. The supported VPN protocols
are part of the summary as well as the IKE version chosen.
Clientless SSL VPN Wizard
This wizard enables clientless, browser-based connections for specific, supported internal resources
through a portal page.
2-12
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
Clientless SSL VPN Wizard
SSL VPN Interface
Provide a connection profile and the interface that SSL VPN users connect to.
Fields
Connection Profile Name
SSL VPN Interface—The interface users access for SSL VPN connections.
Digital Certificate—Specifies what the security appliance sends to the remote web browser to
authenticate the ASA.
Certificate—Choose from the drop-down menu.
Accessing the Connection Profile
Connection Group Alias/URL—The group alias is chosen during login from the Group
drop-down list. This URL is entered into the web browser.
Display Group Alias list at the login page
User Authentication
Specify authentication information on this screen.
Fields
Authenticate using a AAA server group—Enable to let the ASA contact a remote AAA server group
to authenticate the user.
AAA Server Group Name—Select a AAA server group from the list of pre-configured groups
or click New to create a new group.
Authenticate using the local user database—Add new users to the local database stored on the ASA.
Username—Create a username for the user.
Password—Create a password for the user.
Confirm Password—Re-type the same password to confirm.
Add/Delete—Add or delete the user from the local database.
Group Policy
Group policies configure common attributes for groups of users. Create a new group policy or select an
existing one to modify.
Fields
Create new group policy—Enables you to create a new group policy. Provide a name for the new
policy.
Modify existing group policy—Select an existing group policy to modify.
2-13
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
Clientless SSL VPN Wizard
Bookmark List
Configure a list of group intranet websites that appear in the portal page as links. Some examples include
https://intranet.acme.com, rdp://10.120.1.2, vnc://100.1.1.1 and so on.
Fields
Bookmark List
Manage
Summary
Provides a summary of your selections from the previous wizard windows.
2-14
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 2 VPN Wizards
Clientless SSL VPN Wizard
CHAPTER
3-1
Cisco ASA Series VPN ASDM Configuration Guide
3
Configuring IKE, Load Balancing, and NAC
IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec
security association. To configure the ASA for virtual private networks, you set global IKE parameters
that apply system wide, and you also create IKE policies that the peers negotiate to establish a VPN
connection.
Load balancing distributes VPN traffic among two or more ASAs in a VPN cluster.
Network Access Control (NAC) protects the enterprise network from intrusion and infection from
worms, viruses, and rogue applications by performing endpoint compliance and vulnerability checks as
a condition for production access to the network. We refer to these checks as posture validation.
This chapter describes how to configure IKE, load balancing, and NAC. It includes the following
sections:
Enabling IKE on an Interface, page 3-1
Setting IKE Parameters for Site-to-Site VPN, page 3-2
Creating IKE Policies, page 3-5
Configuring IPsec, page 3-9
Configuring Load Balancing, page 3-20
Setting Global NAC Parameters, page 3-27
Configuring Network Admission Control Policies, page 3-28
Enabling IKE on an Interface
To use IKE, you must enable it on each interface you plan to use it on.
For VPN connections
Step 1 In ASDM, navigate to Configuration > Remote Access VPN > Network (Client) Access > AnyConnect
Connection Profiles
Step 2 In the Access Interfaces section, check Allow Access under IPsec (IKEv2) Access for the interfaces you
will use IKE on.
3-2
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Setting IKE Parameters for Site-to-Site VPN
For Site-to-Site VPN
Step 1 In ASDM, navigate to Configuration > Site-to-Site VPN > Connection Profiles
Step 2 Select the interfaces you want to use IKEv1 and IKEv2 on.
Setting IKE Parameters for Site-to-Site VPN
IKE Parmeters
In ASDM, navigate to Configuration > Site-to-Site VPN > Advanced > IKE Parameters
NAT Transparency
Enable IPsec over NAT-T
IPsec over NAT-T lets IPsec peers establish both remote access and LAN-to-LAN connections through
a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby
providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only
encapsulates IPsec traffic when necessary. This feature is enabled by default.
The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-T, and IPsec over UDP,
depending on the client with which it is exchanging data.
When both NAT-T and IPsec over UDP are enabled, NAT-T takes precedence.
When enabled, IPsec over TCP takes precedence over all other connection methods.
The ASA implementation of NAT-T supports IPsec peers behind a single NAT/PAT device as follows:
One LAN-to-LAN connection.
Either a LAN-to-LAN connection or multiple remote access clients, but not a mixture of both.
To use NAT-T you must:
Create an ACL for the interface you will be using to open port 4500 (Configuration > Firewall >
Access Rules).
Enable IPsec over NAT-T in this pane.
On the Fragmentation Policy parameter in the Configuration > Site-to-Site VPN > Advanced > IPsec
Prefragmentation Policies pane, edit the interface you will be using to Enable IPsec
pre-fragmentation. When this is configured, it is still alright to let traffic travel across NAT devices
that do not support IP fragmentation; they do not impede the operation of NAT devices that do.
Enable IPsec over TCP
IPsec over TCP enables a VPN client to operate in an environment in which standard ESP or IKE cannot
function, or can function only with modification to existing firewall rules. IPsec over TCP encapsulates
both the IKE and IPsec protocols within a TCP packet, and enables secure tunneling through both NAT
and PAT devices and firewalls. This feature is disabled by default.
3-3
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Setting IKE Parameters for Site-to-Site VPN
Note This feature does not work with proxy-based firewalls.
IPsec over TCP works with remote access clients. It works on all physical and VLAN interfaces. It is a
client to ASA feature only. It does not work for LAN-to-LAN connections.
The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-Traversal, and IPsec
over UDP, depending on the client with which it is exchanging data.
The VPN 3002 hardware client, which supports one tunnel at a time, can connect using standard
IPsec, IPsec over TCP, NAT-Traversal, or IPsec over UDP.
When enabled, IPsec over TCP takes precedence over all other connection methods.
You enable IPsec over TCP on both the ASA and the client to which it connects.
You can enable IPsec over TCP for up to 10 ports that you specify. If you enter a well-known port, for
example port 80 (HTTP) or port 443 (HTTPS), the system displays a warning that the protocol associated
with that port will no longer work. The consequence is that you can no longer use a browser to manage
the ASA through the IKE-enabled interface. To solve this problem, reconfigure the HTTP/HTTPS
management to different ports.
You must configure TCP port(s) on the client as well as on the ASA. The client configuration must
include at least one of the ports you set for the ASA.
Identity Sent to Peer
Choose the Identity that the peers will use to identify themselves during IKE negotiations:
Session Control
Disable Inbound Aggressive Mode Connections
Phase 1 IKE negotiations can use either Main mode or Aggressive mode. Both provide the same services,
but Aggressive mode requires only two exchanges between the peers, rather than three. Aggressive mode
is faster, but does not provide identity protection for the communicating parties. It is therefore necessary
that they exchange identification information prior to establishing a secure SA in which to encrypt in
formation. This feature is disabled by default.
Alert Peers Before Disconnecting
Client or LAN-to-LAN sessions may be dropped for several reasons, such as: a ASA shutdown or reboot,
session idle timeout, maximum connection time exceeded, or administrator cut-off.
Address Uses the IP addresses of the hosts exchanging ISAKMP identity information.
Hostname Uses the fully-qualified domain name of the hosts exchanging ISAKMP identity
information (default). This name comprises the hostname and the domain name.
Key ID Uses the remote peer uses the Key Id String that you specify to look up the preshared
key.
Automatic Determines IKE negotiation by connection type:
IP address for preshared key
Cert DN for certificate authentication.
3-4
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Setting IKE Parameters for Site-to-Site VPN
The ASA can notify qualified peers (in LAN-to-LAN configurations), VPN Clients and VPN 3002
hardware clients of sessions that are about to be disconnected, and it conveys to them the reason. The
peer or client receiving the alert decodes the reason and displays it in the event log or in a pop-up pane.
This feature is disabled by default.
This pane lets you enable the feature so that the ASA sends these alerts, and conveys the reason for the
disconnect.
Qualified clients and peers include the following:
Security appliances with Alerts enabled.
VPN clients running 4.0 or later software (no configuration required).
VPN 3002 hardware clients running 4.0 or later software, and with Alerts enabled.
VPN 3000 concentrators running 4.0 or later software, with Alerts enabled.
Wait for All Active Sessions to Voluntarily Terminate Before Rebooting
You can schedule a ASA reboot to occur only when all active sessions have terminated voluntarily. This
feature is disabled by default.
Number of SAs Allowed in Negotiation for IKEv1
Limits the maximum number of SAs that can be in negotiation at any time.
IKE v2 Specific Settings
Additional session controls are available for IKE v2, that limit the number of open SAs. By default, the
ASA does not limit the number of open SAs:
Cookie Challenge—Enables the ASA to send cookie challenges to peer devices in response to SA
initiate packets.
% threshold before incoming SAs are cookie challenged—The percentage of the total allowed
SAs for the ASA that are in-negotiation, which triggers cookie challenges for any future SA
negotiations. The range is zero to 100%. The default is 50%.
Number of Allowed SAs in Negotiation—Limits the maximum number of SAs that can be in
negotiation at any time. If used in conjunction with Cookie Challenge, configure the cookie
challenge threshold lower than this limit for an effective cross-check.
Maximum Number of SAs Allowed—Limits the number of allowed IKEv2 connections on the ASA.
By default, the limit is the maximum number of connections specified by the license.
Preventing DoS Attacks with IKE v2 Specific Settings
You can prevent denial-of-service (DoS) attacks for IPsec IKEv2 connections by configuring Cookie
Challenge, which challenges the identify of incoming Security Associations (SAs), or by limiting the
number of open SAs. By default, the ASA does not limit the number of open SAs, and never cookie
challenges SAs. You can also limit the number of SAs allowed, which stops further connections from
negotiating to protect against memory and/or CPU attacks that the cookie-challenge feature may be
unable to thwart and protects the current connections.
With a DoS attack, an attacker initiates the attack when the peer device sends an SA initiate packet and
the ASA sends its response, but the peer device does not respond further. If the peer device does this
continually, all the allowed SA requests on the ASA can be used up until it stops responding.
3-5
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Creating IKE Policies
Enabling a threshold percentage for cookie challenging limits the number of open SA negotiations. For
example, with the default setting of 50%, when 50% of the allowed SAs are in-negotiation (open), the
ASA cookie challenges any additional SA initiate packets that arrive. For the Cisco ASA 5580 with
10000 allowed IKEv2 SAs, after 5000 SAs become open, any more incoming SAs are
cookie-challenged.
If used in conjunction with the Number of SAs Allowed in Negotiation, or the Maximum Number of
SAs Allowed, configure the cookie-challenge threshold lower than these settings for an effective
cross-check.
You can also limit the life on all SAs at the IPsec level by choosing Configuration > Site-to-Site VPN >
Advanced > System Options.
Creating IKE Policies
About IKE
Each IKE negotiation is divided into two sections called Phase1 and Phase 2.
Phase 1 creates the first tunnel, which protects later IKE negotiation messages. Phase 2 creates the tunnel
that protects data.
To set the terms of the IKE negotiations, you create one or more IKE policies, which include the
following:
A unique priority (1 through 65,543, with 1 the highest priority).
An authentication method, to ensure the identity of the peers.
An encryption method, to protect the data and ensure privacy.
An HMAC method to ensure the identity of the sender, and to ensure that the message has not been
modified in transit.
A Diffie-Hellman group to establish the strength of the of the encryption-key-determination
algorithm. The ASA uses this algorithm to derive the encryption and hash keys.
A limit for how long the ASA uses an encryption key before replacing it.
For IKEv1, you can only enable one setting for each parameter. For IKEv2, each proposal can have
multiples settings for Encryption, D-H Group, Integrity Hash, and PRF Hash.
If you do not configure any IKE policies, the ASA uses the default policy, which is always set to the
lowest priority, and which contains the default value for each parameter. If you do not specify a value
for a specific parameter, the default value takes effect.
When IKE negotiation begins, the peer that initiates the negotiation sends all of its policies to the remote
peer, and the remote peer searches for a match with its own policies, in priority order.
A match between IKE policies exists if they have the same encryption, hash, authentication, and
Diffie-Hellman values, and an SA lifetime less than or equal to the lifetime in the policy sent. If the
lifetimes are not identical, the shorter lifetime—from the remote peer policy—applies. If no match
exists, IKE refuses negotiation and the IKE SA is not established.
Configuring IKE Policies
Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > IKE Policies
3-6
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Creating IKE Policies
Configuration > Site-to-Site VPN > Advanced > IKE Policies
Fields
IKEv1 Policies—Displays parameter settings for each configured IKE policy.
Priority #—Shows the priority of the policy.
Encryption—Shows the encryption method.
Hash—Shows the hash algorithm.
D-H Group—Shows the Diffie-Hellman group.
Authentication—Shows the authentication method.
Lifetime (secs)—Shows the SA lifetime in seconds.
Add/Edit/Delete—Click to add, edit, or delete an IKEv1 policy.
IKEv2 Policies—Displays parameter settings for each configured IKEv2 policy.
Priority #—Shows the priority of the policy.
Encryption—Shows the encryption method.
Integrity Hash—Shows the hash algorithm.
PRF Hash—Shows the pseudo random function (PRF) hash algorithm.
D-H Group—Shows the Diffie-Hellman group.
Lifetime (secs)—Shows the SA lifetime in seconds.
Add/Edit/Delete—Click to add, edit, or delete an IKEv2 policy.
Adding an IKEv1 Policy
Configuration > VPN > IKE > Policies > Add/Edit IKEv1 Policy
Fields
Priority #—Type a number to set a priority for the IKE policy. The range is 1 to 65535, with 1 the highest
priority.
Encryption—Choose an encryption method. This is a symmetric encryption method that protects data
transmitted between two IPsec peers.The choices follow:
Hash—Choose the hash algorithm that ensures data integrity. It ensures that a packet comes from whom
you think it comes from, and that it has not been modified in transit.
des 56-bit DES-CBC. Less secure but faster than the alternatives. The default.
3des 168-bit Triple DES.
aes 128-bit AES.
aes-192 192-bit AES.
aes-256 256-bit AES.
sha SHA-1 The default is SHA-1. MD5 has a smaller digest and is considered to
be slightly faster than SHA-1. A successful (but extremely difficult)
attack against MD5 has occurred; however, the HMAC variant IKE
uses prevents this attack.
md5 MD5
3-7
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Creating IKE Policies
Authentication—Choose the authentication method the ASA uses to establish the identity of each IPsec
peer. Preshared keys do not scale well with a growing network but are easier to set up in a small network.
The choices follow:
D-H Group—Choose the Diffie-Hellman group identifier, which the two IPsec peers use to derive a
shared secret without transmitting it to each other.
Lifetime (secs)—Either check Unlimited or enter an integer for the SA lifetime. The default is 86,400
seconds or 24 hours. With longer lifetimes, the ASA sets up future IPsec security associations less
quickly. Encryption strength is great enough to ensure security without using very fast rekey times, on
the order of every few minutes. We recommend that you accept the default.
Time Measure—Choose a time measure. The ASA accepts the following values:.
Adding an IKEv2 Policy
Configuration > VPN > IKE > Policies > Add/Edit IKEv2 Policy
Fields
Priority #—Type a number to set a priority for the IKEv2 policy. The range is 1 to 65535, with 1 the
highest priority.
Encryption—Choose an encryption method. This is a symmetric encryption method that protects data
transmitted between two IPsec peers.The choices follow:
pre-share Preshared keys.
rsa-sig A digital certificate with keys generated by the RSA signatures algorithm.
crack IKE Challenge/Response for Authenticated Cryptographic Keys protocol for mobile
IPsec-enabled clients which use authentication techniques other than certificates.
1 Group 1 (768-bit) The default, Group 2 (1024-bit Diffie-Hellman) requires less
CPU time to execute but is less secure than Group 1or 5.
2 Group 2 (1024-bit)
5 Group 5 (1536-bit)
120 - 86,400 seconds
2 - 1440 minutes
1 - 24 hours
1 day
des Specifies 56-bit DES-CBC encryption for ESP.
3des (Default) Specifies the triple DES encryption algorithm for ESP.
aes Specifies AES with a 128-bit key encryption for ESP.
aes-192 Specifies AES with a 192-bit key encryption for ESP.
aes-256 Specifies AES with a 256-bit key encryption for ESP.
aes-gcm Specifies AES-GCM/GMAC 128-bit support for symmetric encryption and
integrity.
3-8
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Creating IKE Policies
D-H Group—Choose the Diffie-Hellman group identifier, which the two IPsec peers use to derive a
shared secret without transmitting it to each other.
Integrity Hash—Choose the hash algorithm that ensures data integrity for the ESP protocol. It ensures
that a packet comes from whom you think it comes from, and that it has not been modified in transit.
Pseudo-Random Function (PRF)—Specify the PRF used for the construction of keying material for all
of the cryptographic algorithms used in the SA..
aes-gcm-192 Specifies AES-GCM/GMAC 192-bit support for symmetric encryption and
integrity.
aes-gcm-256 Specifies AES-GCM/GMAC 256-bit support for symmetric encryption and
integrity.
NULL Indicates no encryption.
1 Group 1 (768-bit) The default, Group 2 (1024-bit Diffie-Hellman) requires less
CPU time to execute but is less secure than Group 2 or 5.
2 Group 2 (1024-bit)
5 Group 5 (1536-bit)
14 Group 14
19 Group 19
20 Group 20
21 Group 21
24 Group 24
sha SHA 1 The default is SHA 1. MD5 has a smaller digest and is considered to
be slightly faster than SHA 1. A successful (but extremely difficult)
attack against MD5 has occurred; however, the HMAC variant IKE
uses prevents this attack.
md5 MD5
sha256 SHA 2, 256-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 256-bit digest.
sha384 SHA 2, 384-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 384-bit digest.
sha512 SHA 2, 512-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 512-bit digest.
null Indicates that AES-GCM or AES-GMAC is configured as the
encryption algorithm. You must choose the null integrity algorithm if
AES-GCM has been configured as the encryption algorithm.
sha SHA-1 The default is SHA-1. MD5 has a smaller digest and is considered to
be slightly faster than SHA-1. A successful (but extremely difficult)
attack against MD5 has occurred; however, the HMAC variant IKE
uses prevents this attack.
md5 MD5
sha256 SHA 2, 256-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 256-bit digest.
3-9
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Lifetime (secs)—Either check Unlimited or enter an integer for the SA lifetime. The default is 86,400
seconds or 24 hours. With longer lifetimes, the ASA sets up future IPsec security associations more
quickly. Encryption strength is great enough to ensure security without using very fast rekey times, on
the order of every few minutes. We recommend that you accept the default.
The ASA accepts the following values:.
Assignment Policy
Configuration > Remote Access VPN > Network (Client) Access > Address Assignment > Assignment
Policy
The Assignment Policy configures how IP addresses are assigned to remote access clients.
Fields
Use authentication server—Choose to assign IP addresses retrieved from an authentication server
on a per-user basis. If you are using an authentication server (external or internal) that has IP
addresses configured, we recommend using this method. Authorization servers are configured in the
Configuration > Remote Access VPN > AAA/Local Users > AAA Server Groups pane.
Use DHCP— Choose to obtain IP addresses from a DHCP server. If you use DHCP, configure the
server in the Configuration > Remote Access VPN > DHCP Server pane.
Use internal address pools—Choose to have the ASA assign IP addresses from an internally
configured pool. Internally configured address pools are the easiest method of address pool
assignment to configure. If you use this method, configure the IP address pools in Configuration >
Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools pane.
Allow the reuse of an IP address __ minutes after it is released—Delays the reuse of an IP
address after its return to the address pool. Adding a delay helps to prevent problems firewalls
can experience when an IP address is reassigned quickly. By default, this is unchecked, meaning
the ASA does not impose a delay. To add a delay, check the box and enter the number of minutes
in the range 1 - 480 to delay IP address reassignment.
Configuring IPsec
The ASA uses IPsec for LAN-to-LAN VPN connections, and provides the option of using IPsec for
client-to-LAN VPN connections. In IPsec terminology, a “peer” is a remote-access client or another
secure gateway.
sha384 SHA 2, 384-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 384-bit digest.
sha512 SHA 2, 512-bit
digest
Specifies the Secure Hash Algorithm SHA 2 with the 512-bit digest.
120 - 86,400 seconds
2 - 1440 minutes
1 - 24 hours
1 day
3-10
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Note The ASA supports LAN-to-LAN IPsec connections with Cisco peers (IPv4 or IPv6), and with third-party
peers that comply with all relevant standards.
During tunnel establishment, the two peers negotiate security associations that govern authentication,
encryption, encapsulation, and key management. These negotiations involve two phases: first, to
establish the tunnel (the IKE SA); and second, to govern traffic within the tunnel (the IPsec SA).
A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN
connections, the ASA can function as initiator or responder. In IPsec client-to-LAN connections, the
ASA functions only as responder. Initiators propose SAs; responders accept, reject, or make
counter-proposals—all in accordance with configured SA parameters. To establish a connection, both
entities must agree on the SAs.
The ASA supports these IPsec attributes:
Main mode for negotiating phase one ISAKMP security associations when using digital certificates
for authentication
Aggressive mode for negotiating phase one ISAKMP Security Associations (SAs) when using
preshared keys for authentication
Authentication Algorithms:
ESP-MD5-HMAC-128
ESP-SHA1-HMAC-160
Authentication Modes:
Preshared Keys
X.509 Digital Certificates
Diffie-Hellman Groups 1, 2, and 5.
Encryption Algorithms:
AES-128, -192, and -256
3DES-168
DES-56
ESP-NULL
Extended Authentication (XAuth)
Mode Configuration (also known as ISAKMP Configuration Method)
Tunnel Encapsulation Mode
IP compression (IPCOMP) using LZS
Adding Crypto Maps
Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto
Maps
This pane shows the currently configured crypto maps, which are defined in IPsec rules. Here you can
add, edit, delete and move up, move down, cut, copy, and paste an IPsec rule.
3-11
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Fields
Note You cannot edit, delete, or copy an implicit rule. The ASA implicitly accepts the traffic selection
proposal from remote clients when configured with a dynamic tunnel policy. You can override it by
giving a specific traffic selection.
Add—Click to launch the Create IPsec Rule dialog box, where you can configure basic, advanced,
and traffic selection parameters for a rule.
Edit—Click to edit an existing rule.
Delete—Click to delete a rule highlighted in the table.
Cut—Deletes a highlighted rule in the table and keeps it in the clipboard for copying.
Copy—Copies a highlighted rule in the table.
Find—Click to enable the Find toolbar where you can specify the parameters of existing rules that
you want to find:
Filter—Filter the find results by selecting Interface, Source, Destination, Destination Service,
or Rule Query, selecting is or contains, and entering the filter parameter. Click ... to launch a
browse dialog box that displays all existing entries that you can choose.
Diagram—Displays a diagram that illustrates the highlighted IPsec rule.
Type: Priority—Displays the type of rule (static or dynamic) and its priority.
Traffic Selection
#—Indicates the rule number.
Source—Indicates the IP addresses that are subject to this rule when traffic is sent to the IP
addresses listed in the Remote Side Host/Network column. In detail mode (see the Show Detail
button), an address column might contain an interface name with the word any, such as
inside:any. any means that any host on the inside interface is affected by the rule.
Destination—Lists the IP addresses that are subject to this rule when traffic is sent from the IP
addresses listed in the Security Appliance Side Host/Network column. In detail mode (see the
Show Detail button), an address column might contain an interface name with the word any,
such as outside:any. any means that any host on the outside interface is affected by the rule. Also
in detail mode, an address column might contain IP addresses in square brackets, for example,
[209.165.201.1-209.165.201.30]. These addresses are translated addresses. When an inside host
makes a connection to an outside host, the ASA maps the inside host's address to an address
from the pool. After a host creates an outbound connection, the ASA maintains this address
mapping. This address mapping structure is called an xlate, and remains in memory for a period
of time.
Service—Specifies the service and protocol specified by the rule (TCP, UDP, ICMP, or IP).
Action—Specifies the type of IPsec rule (protect or do not protect).
Transform Set—Displays the transform set for the rule.
Peer—Identifies the IPsec peer.
PFS—Displays perfect forward secrecy settings for the rule.
NAT-T Enabled—Indicates whether NAT Traversal is enabled for the policy.
Reverse Route Enabled—Indicates whether Reverse Route Injection is enabled for the policy.
Connection Type—(Meaningful only for static tunnel policies.) Identifies the connection type for
this policy as bidirectional, originate-only, or answer-only).
3-12
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
SA Lifetime—Displays the SA lifetime for the rule.
CA Certificate—Displays the CA certificate for the policy. This applies to static connections only.
IKE Negotiation Mode—Displays whether IKE negotiations use main or aggressive mode.
Description—(Optional) Specifies a brief description for this rule. For an existing rule, this is the
description you typed when you added the rule. An implicit rule includes the following description:
“Implicit rule.” To edit the description of any but an implicit rule, right-click this column, and
choose Edit Description or double-click the column.
Enable Anti-replay window size—Sets the anti-replay window size, between 64 and 1028 in
multiples of 64. One side-effect of priority queueing in a hierarchical QoS policy with traffic
shaping (see the “Rule Actions > QoS Tab”) is packet re-ordering. For IPsec packets, out-of-order
packets that are not within the anti-replay window generate warning syslog messages. These
warnings becomes false alarms in the case of priority queueing. Configuring the anti-replay pane
size helps you avoid possible false alarms.
Creating an IPsec Rule/Tunnel Policy (Crypto Map) - Basic Tab
Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto
Maps - Edit IPsec Rule - Basic Tab
Use this pane to define a new Tunnel Policy for an IPsec rule. The values you define here appear in the
IPsec Rules table after you click OK. All rules are enabled by default as soon as they appear in the IPsec
Rules table.
The Tunnel Policy pane lets you define a tunnel policy that is used to negotiate an IPsec (Phase 2)
security association (SA). ASDM captures your configuration edits, but does not save them to the
running configuration until you click Apply.
Every tunnel policy must specify a transform set and identify the security appliance interface to which
it applies. The transform set identifies the encryption and hash algorithms that perform IPsec encryption
and decryption operations. Because not every IPsec peer supports the same algorithms, you might want
to specify a number of policies and assign a priority to each. The security appliance then negotiates with
the remote IPsec peer to agree on a transform set that both peers support.
Tunnel policies can be static or dynamic. A static tunnel policy identifies one or more remote IPsec peers
or subnetworks to which your security appliance permits IPsec connections. A static policy can be used
whether your security appliance initiates the connection or receives a connection request from a remote
host. A static policy requires you to enter the information necessary to identify permitted hosts or
networks.
A dynamic tunnel policy is used when you cannot or do not want to provide information about remote
hosts that are permitted to initiate a connection with the security appliance. If you are only using your
security appliance as a VPN client in relation to a remote VPN central-site device, you do not need to
configure any dynamic tunnel policies. Dynamic tunnel policies are most useful for allowing remote
access clients to initiate a connection to your network through a security appliance acting as the VPN
central-site device. A dynamic tunnel policy is useful when the remote access clients have dynamically
assigned IP addresses or when you do not want to configure separate policies for a large number of
remote access clients.
Fields
Interface—Choose the interface name to which this policy applies.
Policy Type—Choose the type, static or dynamic, of this tunnel policy.
Priority—Enter the priority of the policy.
3-13
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
IKE Proposals (Transform Sets)--Specifies IKEv1 and IKEv2 IPsec proposals:
IKEv1 IPsec Proposal—Choose the proposal (transform set) for the policy and click Add to
move it to the list of active transform sets. Click Move Up or Move Down to rearrange the order
of the proposals in the list box. You can add a maximum of 11 proposals to a crypto map entry
or a dynamic crypto map entry.
IKEv2 IPsec Proposal—Choose the proposal (transform set) for the policy and click Add to
move it to the list of active transform sets. Click Move Up or Move Down to rearrange the order
of the proposals in the list box. You can add a maximum of 11 proposals to a crypto map entry
or a dynamic crypto map entry.
Peer Settings - Optional for Dynamic Crypto Map Entries—Configure the peer settings for the
policy.
Connection Type—(Meaningful only for static tunnel policies.) Choose bidirectional,
originate-only, or answer-only to specify the connection type of this policy. For LAN-to-LAN
connections, choose bidirectional or answer-only (not originate-only). Choose answer-only for
LAN-to-LAN redundancy. If you choose Originate Only, you can specify up to 10 redundant
peers. For uni-directional, you can specify originate only or answer only, and neither are
enabled by default.
IP Address of Peer to Be Added—Enter the IP address of the IPsec peer you are adding.
Enable Perfect Forwarding Secrecy—Check to enable perfect forward secrecy for the policy. PFS is
a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations,
Phase 2 keys are based on Phase 1 keys unless you specify Perfect Forward Secrecy.
Diffie-Hellman Group—When you enable PFS you must also choose a Diffie-Hellman group which
the ASA uses to generate session keys. The choices are as follows:
Group 1 (768-bits) = Use perfect forward secrecy, and use Diffie-Hellman Group 1 to generate
IPsec session keys, where the prime and generator numbers are 768 bits. This option is more
secure but requires more processing overhead.
Group 2 (1024-bits) = Use perfect forward secrecy, and use Diffie-Hellman Group 2 to generate
IPsec session keys, where the prime and generator numbers are 1024 bits. This option is more
secure than Group 1 but requires more processing overhead.
Group 5 (1536-bits) = Use perfect forward secrecy, and use Diffie-Hellman Group 5 to generate
IPsec session keys, where the prime and generator numbers are 1536 bits. This option is more
secure than Group 2 but requires more processing overhead.
Group 14= Use perfect forward secrecy and use Diffie-Hellman Group 14 for IKEv2.
Group 19= Use perfect forward secrecy and use Diffie-Hellman Group 19 for IKEv2 to support
ECDH.
Group 20= Use perfect forward secrecy and use Diffie-Hellman Group 20 for IKEv2 to support
ECDH.
Group 21= Use perfect forward secrecy and use Diffie-Hellman Group 21 for IKEv2 to support
ECDH.
Group 24= Use perfect forward secrecy and use Diffie-Hellman Group 24 for IKEv2.
Creating IPsec Rule/Tunnel Policy (Crypto Map) - Advanced Tab
Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPsec > Crypto
Maps - Edit IPsec Rule - Advanced Tab
3-14
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Fields
Enable NAT-T— Enables NAT Traversal (NAT-T) for this policy.
Enable Reverse Route Injection—Enables Reverse Route Injection for this policy.
Reverse Route Injection (RRI) is used to populate the routing table of an internal router that runs
dynamic routing protocols such as Open Shortest Path First (OSPF), or Enhanced Interior Gateway
Routing Protocol (EIGRP), if you run ASA, or Routing Information Protocol (RIP) for remote VPN
Clients or LAN to LAN sessions.
Security Association Lifetime Settings—Configures the duration of a Security Association (SA).
This parameter specifies how to measure the lifetime of the IPsec SA keys, which is how long the
IPsec SA lasts until it expires and must be renegotiated with new keys.
Time—Specifies the SA lifetime in terms of hours (hh), minutes (mm) and seconds (ss).
Traffic Volume—Defines the SA lifetime in terms of kilobytes of traffic. Enter the number of
kilobytes of payload data after which the IPsec SA expires. Minimum is 100 KB, default is
10000 KB, maximum is 2147483647 KB.
Static Type Only Settings—Specifies parameters for static tunnel policies.
Device Certificate—Choose the certificate to use. If you choose something other than
None (Use Preshared Keys), which is the default. The Send CA certificate chain check box
becomes active when you select something other than None.
Send CA certificate chain—Enables transmission of the entire trust point chain.
IKE Negotiation Mode—Chooses the IKE negotiation mode, Main or Aggressive. This
parameter sets the mode for exchanging key information and setting up the SAs. It sets the mode
that the initiator of the negotiation uses; the responder auto-negotiates. Aggressive Mode is
faster, using fewer packets and fewer exchanges, but it does not protect the identity of the
communicating parties. Main Mode is slower, using more packets and more exchanges, but it
protects the identities of the communicating parties. This mode is more secure and it is the
default selection. If you choose Aggressive, the Diffie-Hellman Group list becomes active.
Diffie-Hellman Group—Choose the Diffie-Hellman group to apply. The choices are as follows:
Group 1 (768-bits), Group 2 (1024-bits), or Group 5 (1536-bits).
ESP v3—Specify whether incoming ICMP error messages are validated for cryptography and
dynamic cryptography maps, set the per-security association policy, or enable traffic flow packets:
Validate incoming ICMP error messages—Choose whether to validate those ICMP error
messages received through an IPsec tunnel and destined for an interior host on the private
network.
Enable Do Not Fragment (DF) policy—Define how the IPsec subsystem handles large packets
that have the do-not-fragment (DF) bit set in the IP header. Choose one of the following:
Clear DF bit—Ignores the DF bit.
Copy DF bit—Maintains the DF bit.
Set DF bit—Sets and uses the DF bit.
Enable Traffic Flow Confidentiality (TFC) packets—Enable dummy TFC packets that mask the
traffic profile which traverses the tunnel.
Note You must have an IKE v2 IPsec proposal set on the Tunnel Policy (Crypto Map) Basic
tab before enabling TFC.
3-15
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Use the Burst, Payload Size, and Timeout parameters to generate random length packets at
random intervals across the specified SA.
Creating IPsec Rule/Traffic Selection Tab
Configuration > VPN > IPSec > IPSec Rules > Add/Edit Rule > Tunnel Policy (Crypto Map) -
Traffic Selection Tab
This pane lets you define what traffic to protect (permit) or not protect (deny).
Fields
Action—Specify the action for this rule to take. The selections are protect and do not protect.
Source—Specify the IP address, network object group or interface IP address for the source host or
network. A rule cannot use the same address as both the source and destination. Click ... to launch
the Browse Source dialog box that contains the following fields:
Add/Edit—Choose IP Address or Network Object Group to add more source addresses or
groups.
Delete—Click to delete an entry.
Filter—Enter an IP Address to filter the results displayed.
Name—Indicates that the parameters that follow specify the name of the source host or network.
IP Address—Indicates that the parameters that follow specify the interface, IP address, and
subnet mask of the source host or network.
Netmask—Chooses a standard subnet mask to apply to the IP address. This parameter appears
when you choose the IP Address option button.
Description—Enter a description.
Selected Source—Click Source to include the selected entry as a source.
Destination—Specify the IP address, network object group or interface IP address for the
destination host or network. A rule cannot use the same address as both the source and destination.
Click ... to launch the Browse Destination dialog box that contains the following fields:
Add/Edit—Choose IP Address or Network Object Group to add more destination addresses or
groups.
Delete—Click to delete an entry.
Filter—Enter an IP Address to filter the results displayed.
Name—Indicates that the parameters that follow specify the name of the destination host or
network.
IP Address—Indicates that the parameters that follow specify the interface, IP address, and
subnet mask of the destination host or network.
Netmask—Chooses a standard subnet mask to apply to the IP address. This parameter appears
when you choose the IP Address option button.
Description—Enter a description.
Selected Destination—Click Destination to include the selected entry as a destination.
Service—Enter a service or click ... to launch the browse service dialog box where you can choose
from a list of services.
Description—Enter a description for the Traffic Selection entry.
3-16
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
More Options
Enable Rule—Click to enable this rule.
Source Service—Enter a service or click ... to launch the browse service dialog box where you
can choose from a list of services.
Time Range—Define a time range for which this rule applies.
Group—Indicates that the parameters that follow specify the interface and group name of the
source host or network.
Interface—Choose the interface name for the IP address. This parameter appears when you
choose the IP Address option button.
IP address—Specifies the IP address of the interface to which this policy applies. This
parameter appears when you choose the IP Address option button.
Destination—Specify the IP address, network object group or interface IP address for the source
or destination host or network. A rule cannot use the same address as both the source and
destination. Click ... for either of these fields to launch the Browse dialog box that contain the
following fields:
Name—Choose the interface name to use as the source or destination host or network. This
parameter appears when you choose the Name option button. This is the only parameter
associated with this option.
Interface—Choose the interface name for the IP address. This parameter appears when you
choose the Group option button.
Group—Choose the name of the group on the specified interface for the source or destination
host or network. If the list contains no entries, you can enter the name of an existing group. This
parameter appears when you choose the Group option button.
Protocol and Service—Specifies protocol and service parameters relevant to this rule.
Note Any - any” IPsec rules are not allowed. This type of rule would prevent the device and its peer
from supporting multiple LAN -to-LAN tunnels.
TCP—Specifies that this rule applies to TCP connections. This selection also displays the
Source Port and Destination Port group boxes.
UDP—Specifies that this rule applies to UDP connections. This selection also displays the
Source Port and Destination Port group boxes.
ICMP—Specifies that this rule applies to ICMP connections. This selection also displays the
ICMP Type group box.
IP—Specifies that this rule applies to IP connections. This selection also displays the IP
Protocol group box.
Manage Service Groups—Displays the Manage Service Groups pane, on which you can add,
edit, or delete a group of TCP/UDP services/ports.
Source Port and Destination Port —Contains TCP or UDP port parameters, depending on
which option button you chose in the Protocol and Service group box.
Service—Indicates that you are specifying parameters for an individual service. Specifies the
name of the service and a boolean operator to use when applying the filter.
Boolean operator (unlabeled)—Lists the boolean conditions (equal, not equal, greater than,
less than, or range) to use in matching the service specified in the service box.
3-17
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Service (unlabeled)—Identifies the service (such as https, kerberos, or any) to be matched. If
you specified the range service operator this parameter becomes two boxes, into which you
enter the start and the end of the range.
... —Displays a list of services from which you can choose the service to display in the Service
box.
Service Group—Indicates that you are specifying the name of a service group for the source
port.
Service (unlabeled)—Choose the service group to use.
ICMP Type—Specifies the ICMP type to use. The default is any. Click the ... button to display
a list of available types.
Options
Time Range—Specify the name of an existing time range or create a new range.
... —Displays the Add Time Range pane, on which you can define a new time range.
Please enter the description below (optional)—Provides space for you to enter a brief
description of the rule.
Pre-Fragmentation
Configuration > VPN > IPSec > Pre-Fragmentation
Use this pane to set the IPsec pre-fragmentation policy and do-not-fragment (DF) bit policy for any
interface.
The IPsec pre-fragmentation policy specifies how to treat packets that exceed the maximum transmission
unit (MTU) setting when tunneling traffic through the public interface. This feature provides a way to
handle cases where a router or NAT device between the ASA and the client rejects or drops IP fragments.
For example, suppose a client wants to FTP get from an FTP server behind a ASA. The FTP server
transmits packets that when encapsulated would exceed the ASA’s MTU size on the public interface.
The selected options determine how the ASA processes these packets. The pre-fragmentation policy
applies to all traffic travelling out the ASA public interface.
The ASA encapsulates all tunneled packets. After encapsulation, the ASA fragments packets that exceed
the MTU setting before transmitting them through the public interface. This is the default policy. This
option works for situations where fragmented packets are allowed through the tunnel without hindrance.
For the FTP example, large packets are encapsulated and then fragmented at the IP layer. Intermediate
devices may drop fragments or just out-of-order fragments. Load-balancing devices can introduce
out-of-order fragments.
When you enable pre-fragmentation, the ASA fragments tunneled packets that exceed the MTU setting
before encapsulating them. If the DF bit on these packets is set, the ASA clears the DF bit, fragments
the packets, and then encapsulates them. This action creates two independent non-fragmented IP packets
leaving the public interface and successfully transmits these packets to the peer site by turning the
fragments into complete packets to be reassembled at the peer site. In our example, the ASA overrides
the MTU and allows fragmentation by clearing the DF bit.
Note Changing the MTU or the pre-fragmentation option on any interface tears down all existing connections.
For example, if 100 active tunnels terminate on the public interface, and you change the MTU or the
pre-fragmentation option on the external interface, all of the active tunnels on the public interface are
dropped.
3-18
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Fields
Pre-Fragmentation—Shows the current pre-fragmentation configuration for every configured
interface.
Interface—Shows the name of each configured interface.
Pre-Fragmentation Enabled—Shows, for each interface, whether pre-fragmentation is
enabled.
DF Bit Policy—Shows the DF Bit Policy for each interface.
Edit—Displays the Edit IPsec Pre-Fragmentation Policy dialog box.
Edit IPsec Pre-Fragmentation Policy
Configuration > VPN > IPSec > Pre-Fragmentation > Edit IPSec Pre-Fragmentation Policy
Use this pane to modify an existing IPsec pre-fragmentation policy and do-not-fragment (DF) bit policy
for an interface selected on the parent pane, Configuration > VPN > IPsec > Pre-Fragmentation
Fields
Interface—Identifies the chosen interface. You cannot change this parameter using this dialog box.
Enable IPsec pre-fragmentation—Enables or disables IPsec pre-fragmentation. The ASA
fragments tunneled packets that exceed the MTU setting before encapsulating them. If the DF bit on
these packets is set, the ASA clears the DF bit, fragments the packets, and then encapsulates them.
This action creates two independent, non-fragmented IP packets leaving the public interface and
successfully transmits these packets to the peer site by turning the fragments into complete packets
to be reassembled at the peer site.
DF Bit Setting Policy—Choose the do-not-fragment bit policy: Copy, Clear, or Set.
IPsec Transform Sets
Configuration > VPN > IPSec > Transform Sets
Use this pane to view and add or edit transform sets. A transform is a set of operations done on a data
flow to provide data authentication, data confidentiality, and data compression. For example, one
transform is the ESP protocol with 3DES encryption and the HMAC-MD5 authentication algorithm
(ESP-3DES-MD5).
Fields
IKEv1 IPsec Proposals (Transform Sets)—Shows the configured transform sets.
Name—Shows the name of the transform sets.
Mode—Shows the mode, Tunnel, of the transform set. This parameter specifies the mode for
applying ESP encryption and authentication; in other words, what part of the original IP packet
has ESP applied. Tunnel mode applies ESP encryption and authentication to the entire original
IP packet (IP header and data), thus hiding the ultimate source and destination addresses.
ESP Encryption—Shows the Encapsulating Security Protocol (ESP) encryption algorithms for
the transform sets. ESP provides data privacy services, optional data authentication, and
anti-replay services. ESP encapsulates the data being protected.
ESP Authentication—Shows the ESP authentication algorithms for the transform sets.
Add—Opens the Add Transform Set dialog box, in which you can add a new transform set.
3-19
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring IPsec
Edit—Opens the Edit Transform Set dialog box, in which you can modify an existing transform set.
Delete—Removes the selected transform set. There is no confirmation or undo.
IKEv2 IPsec Proposals—Shows the configured transform sets.
Name—Shows the name of the IKEv2 IPsec Proposal.
Encryption—Shows the Encapsulating Security Protocol (ESP) encryption algorithms for the
IKEv2 IPsec Proposal. ESP provides data privacy services, optional data authentication, and
anti-replay services. ESP encapsulates the data being protected.
Integrity Hash—Shows the hash algorithm that ensures data integrity for the ESP protocol. It
ensures that a packet comes from whom you would expect and that no modifications were made
in transit. It ensures that a packet comes from who you would expect and that no modifications
were made in transit. You must choose the null integrity algorithm if AES-GCM/GMAC has
been configured as the encryption algorithm.
Add—Opens the Add IPsec Proposal dialog box, in which you can add a new proposal.
Edit—Opens the Edit IPsec Proposal dialog box, in which you can modify an existing proposal.
Delete—Removes the selected proposal. There is no confirmation or undo.
Add/Edit IPsec Proposal (Transform Set)
(Configuration > VPN > IPSec > Transform Sets > Add/Edit IPsec_Proposal_(Transform Set)
Use this pane to add or modify an IPsec IKEv1 transform set. A transform is a set of operations done on
a data flow to provide data authentication, data confidentiality, and data compression. For example, one
transform is the ESP protocol with 3DES encryption and the HMAC-MD5 authentication algorithm
(ESP-3DES-MD5).
Fields
Set Name—Specifies a name for this transform set.
Properties—Configures properties for this transform set. These properties appear in the Transform
Sets table.
Mode—Shows the mode, Tunnel, of the transform set. This field shows the mode for applying
ESP encryption and authentication; in other words, what part of the original IP packet has ESP
applied. Tunnel mode applies ESP encryption and authentication to the entire original IP packet
(IP header and data), thus hiding the ultimate source and destination addresses.
ESP Encryption—Choose the Encapsulating Security Protocol (ESP) encryption algorithms
for the transform sets. ESP provides data privacy services, optional data authentication, and
anti-replay services. ESP encapsulates the data being protected.
ESP Authentication—Choose the ESP authentication algorithms for the transform sets.
Note The IPsec ESP (Encapsulating Security Payload) protocol provides both encryption and
authentication. Packet authentication proves that data comes from whom you think it comes
from; it is often referred to as “data integrity.
Add/Edit IPsec Proposal
Configuration > VPN > IPSec > Transform Sets > Add/Edit IPsec_Proposal
3-20
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
Use this pane to add or modify an IPsec IKEv2 proposal. A proposal is a set of operations done on a data
flow to provide data authentication, data confidentiality, and data compression. For example, one
proposal is the ESP protocol with 3DES encryption and the HMAC-MD5 authentication algorithm
(ESP-3DES-MD5).
Fields
Name—Specifies a name for this proposal.
Encryption—Choose the Encapsulating Security Protocol (ESP) encryption algorithms for the
proposal. ESP provides data privacy services, optional data authentication, and anti-replay services.
ESP encapsulates the data being protected.
Integrity Hash—Choose the ESP authentication algorithms for the proposal. The hash algorithm
ensures data integrity for the ESP protocol. It ensures that a packet comes from whom you think it
comes from, and that it has not been modified in transit.
Note The IPsec ESP (Encapsulating Security Payload) protocol provides both encryption and
authentication. Packet authentication proves that data comes from whom you think it comes
from; it is often referred to as “data integrity.
Configuring Load Balancing
If you have a remote-client configuration in which you are using two or more ASAs connected to the
same network to handle remote sessions, you can configure these devices to share their session load. This
feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus
distributing the load among all devices. It makes efficient use of system resources and provides increased
performance anodize availability.
The following sections explain load balancing:
Creating Virtual Clusters
Geographical Load Balancing
Comparing Load Balancing to Failover
Load Balancing Licensing Requirements
Load Balancing Prerequisites
Eligible Clients
Configuring VPN Cluster Load Balancing with the High Availability and Scalability Wizard
Configuring Load Balancing (Without the Wizard)
Creating Virtual Clusters
To implement load balancing, you group together logically two or more devices on the same private
LAN-to-LAN network into a virtual cluster.
3-21
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
All devices in the virtual cluster carry session loads. One device in the virtual cluster, the virtual cluster
master, directs incoming connection requests to the other devices, called backup devices. The virtual
cluster master monitors all devices in the cluster, keeps track of how busy each is, and distributes the
session load accordingly. The role of virtual cluster master is not tied to a physical device; it can shift
among devices. For example, if the current virtual cluster master fails, one of the backup devices in the
cluster takes over that role and immediately becomes the new virtual cluster master.
The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not
tied to a specific physical device. It belongs to the current virtual cluster master; hence, it is virtual. A
VPN client attempting to establish a connection connects first to this virtual cluster IP address. The
virtual cluster master then sends back to the client the public IP address of the least-loaded available host
in the cluster. In a second transaction (transparent to the user) the client connects directly to that host.
In this way, the virtual cluster master directs traffic evenly and efficiently across resources.
If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster
IP address. The virtual cluster master then directs these connections to another active device in the
cluster. Should the virtual cluster master itself fail, a backup device in the cluster immediately and
automatically takes over as the new virtual session master. Even if several devices in the cluster fail,
users can continue to connect to the cluster as long as any one device in the cluster is up and available.
A load-balancing cluster can consist of ASAs of the same release or of mixed releases subject to the
following restrictions:
Load-balancing clusters that consist of both same release ASAs can run load balancing for a mixture
of IPsec, AnyConnect, and clientless SSL VPN client and clientless sessions.
Load-balancing clusters that include mixed release ASAs or same release ASAs can support only
IPsec sessions. In such a configuration, however, the ASAs might not reach their full IPsec capacity.
“Comparing Load Balancing to Failover” on page 22, illustrates this situation.
Since Release 7.1(1), IPsec and SSL VPN sessions count or weigh equally in determining the load that
each device in the cluster carries. This represents a departure from the load balancing calculation for the
ASA Release 7.0(x) software and the VPN 3000 concentrator, in that these platforms both use a
weighting algorithm that, on some hardware platforms, calculates SSL VPN session load differently
from IPsec session load.
The virtual master of the cluster assigns session requests to the members of the cluster. The ASA regards
all sessions, SSL VPN or IPsec, as equal and assigns them accordingly. You can configure the number
of IPsec and SSL VPN sessions to allow, up to the maximum allowed by your configuration and license.
We have tested up to ten nodes in a load-balancing cluster. Larger clusters might work, but we do not
officially support such topologies.
Geographical Load Balancing
In a load balancing environment where the DNS resolutions are being changed at regular intervals, you
must carefully consider how to set the time to live (TTL) value. For the DNS load balance configuration
to work successfully with AnyConnect, the ASA name to address mapping must remain the same from
the time the ASA is selected until the tunnel is fully established. If too much time passes before the
credentials are entered, the lookup restarts and a different IP address may become the resolved address.
If the DNS mapping changes to a different ASA before the credentials are entered, the VPN tunnel fails.
Geographical load balancing for VPN often uses a Cisco Global Site Selector (GSS). The GSS uses DNS
for the load balancing, and the time to live (TTL) value for DNS resolution is defaulted to 20 seconds.
You can significantly decrease the likelihood of connection failures if you increase the TTL value on the
GSS. Increasing to a much higher value allows ample time for the authentication phase when the user is
entering credentials and establishing the tunnel.
3-22
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
To increase the time for entering credentials, you may also consider disabling Connect on Start Up.
Comparing Load Balancing to Failover
Both load balancing and failover are high-availability features, but they function differently and have
different requirements. In some circumstances you can use both load balancing and failover. The
following sections describe the differences between these features.
Load balancing is a mechanism for equitably distributing remote-access VPN traffic among the devices
in a virtual cluster. It is based on simple distribution of traffic without taking into account throughput or
other factors. A load-balancing cluster consists of two or more devices, one of which is the virtual
master, and the others backup. These devices do not need to be of the exact same type, or have identical
software versions or configurations. All active devices in a virtual cluster carry session loads. Load
balancing directs traffic to the least loaded device in the cluster, distributing the load among all devices.
It makes efficient use of system resources and provides increased performance and high availability.
A failover configuration requires two identical ASAs connected to each other through a dedicated
failover link and, optionally, a stateful failover link. The health of the active interfaces and units is
monitored to determine when specific failover conditions are met. If those conditions occur, failover
occurs. Failover supports both VPN and firewall configurations.
The ASA supports two failover configurations, Active/Active failover and Active/Standby failover. VPN
connections run only in Active/Standby, single routed mode. Active/Active failover requires
multi-context mode, so does not support VPN connections.
With Active/Active failover, both units can pass network traffic. This is not true with load balancing,
although it might appear to have the same effect. When failover occurs, the remaining active unit takes
over passing the combined traffic, based on the configured parameters. Therefore, when configuring
Active/Active failover, you must make sure that the combined traffic for both units is within the capacity
of each unit.
With Active/Standby failover, only one unit passes traffic, while the other unit waits in a standby state
and does not pass traffic. Active/Standby failover lets you use a second ASA to take over the functions
of a failed unit. When the active unit fails, it changes to the standby state, while the standby unit changes
to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall,
the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit
that is now in standby state takes over the standby IP addresses of the active unit. If an active unit fails,
the standby takes over without any interruption to the client VPN tunnel.
Load Balancing Licensing Requirements
To use VPN load balancing, you must have an ASA Model 5510 with a Plus license or an ASA Model
5520 or higher. VPN load balancing also requires an active 3DES/AES license. The security appliance
checks for the existence of this crypto license before enabling load balancing. If it does not detect an
active 3DES or AES license, the security appliance prevents the enabling of load balancing and also
prevents internal configuration of 3DES by the load balancing system unless the license permits this
usage.
Eligible Clients
Load balancing is effective only on remote sessions initiated with the following clients:
Cisco AnyConnect Secure Mobility Client (Release 3.0 and later)
3-23
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
Cisco ASA 5505 Security Appliance (when acting as an Easy VPN client)
IOS EZVPN Client devices supporting IKE-redirect (IOS 831/871)
Clientless SSL VPN (not a client)
Load balancing works with IPsec clients and SSL VPN client and clientless sessions. All other VPN
connection types (L2TP, PPTP, L2TP/IPsec), including LAN-to-LAN, can connect to an ASA on which
load balancing is enabled, but they cannot participate in load balancing.
Load Balancing Prerequisites
You must have first configured the ASAs public and private interfaces before configuring load
balancing. To do so select Configuration > Device Setup > Interfaces. See Chapter 11, “Starting
Interface Configuration (ASA 5510 and Higher)” or Chapter 12, “Starting Interface Configuration
(ASA 5505)” in the general operations configuration guide for more information.
You must have previously configured the interface to which the virtual cluster IP address refers.
All devices that participate in a cluster must share the same cluster-specific values: IP address,
encryption settings, encryption key, and port. All of the outside and inside network interfaces on the
load-balancing devices in a cluster must be on the same IP network.
Certificate Verification
When performing certificate verification for load balancing with AnyConnect, and the connection is
redirected by an IP address, the client does all of its name checking through this IP address. Make sure
the redirection IP address is listed in the certificates common name or the subject alt name. If the IP
address is not present in these fields, then the certificate will be deemed untrusted.
Following the guidelines defined in RFC 2818, if a subject alt name is included in the certificate, we
only use the subject alt name for name checks, and we ignore the common name. Make sure that the IP
address of the server presenting the certificate is defined in the subject alt name of the certificate.
For a standalone ASA, the IP address is the IP of that ASA. In a clustering situation, it depends on the
certificate configuration. If the cluster uses one certificate, then it would be the IP of the cluster, and the
certificate would contain Subject Alternative Name extensions that have each ASA's IP and FQDN. If
the cluster uses multiple certificates, then it should once again be the IP address of the ASA.
Configuring VPN Cluster Load Balancing with the High Availability and
Scalability Wizard
If you have a remote-client configuration in which you are using two or more ASAs connected to the
same network to handle remote sessions, you can configure these devices to share their session load. This
feature is called load balancing, which directs session traffic to the least loaded device, thereby
distributing the load among all devices. Load balancing makes efficient use of system resources and
provides increased performance and system availability.
Use the VPN Cluster Load Balancing Configuration screen to set required parameters for a device to
participate in a load balancing cluster.
Enabling load balancing involves the following:
3-24
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
Configuring the load-balancing cluster by establishing a common virtual cluster IP address, UDP
port (if necessary), and IPsec shared secret for the cluster. These values are identical for each device
in the cluster.
Configuring the participating device by enabling load balancing on the device and defining
device-specific properties. These values vary from device to device.
Prerequisites
If you are using encryption, you must configure the load balancing inside interface. If that interface is
not enabled on the load balancing inside interface, an error message appears when you try to configure
cluster encryption.
Detailed Steps
To implement load balancing, you logically group together two or more devices on the same private
LAN-to-LAN network into a virtual cluster by performing the following steps:
Step 1 Choose Wizards > High Availability and Scalability.
Step 2 In the Configuration Type screen, click Configure VPN Cluster Load Balancing, and click Next.
Step 3 Choose the single IP address that represents the entire virtual cluster. Specify an IP address that is within
the public subnet address range shared by all the ASAs in the virtual cluster.
Step 4 Specify the UDP port for the virtual cluster in which this device is participating. The default value is
9023. If another application is using this port, enter the UDP destination port number that you want to
use for load balancing.
Step 5 To enable IPsec encryption and ensure that all load-balancing information communicated between the
devices is encrypted, check the Enable IPsec Encryption check box. You must also specify and verify
a shared secret. The ASAs in the virtual cluster communicate via LAN-to-LAN tunnels using IPsec. To
disable IPsec encryption, uncheck the Enable IPsec Encryption check box.
Step 6 Specify the shared secret to between IPsec peers when you enable IPsec encryption. The value that you
enter appears as consecutive asterisk characters.
Step 7 Specify the priority assigned to this device within the cluster. The range is from 1 to 10. The priority
indicates the likelihood of this device becoming the virtual cluster master, either at startup or when an
existing master fails. The higher the priority set (for example, 10), the more likely that this device will
become the virtual cluster master.
Note If the devices in the virtual cluster are powered up at different times, the first device to be
powered up assumes the role of virtual cluster master. Because every virtual cluster requires a
master, each device in the virtual cluster checks when it is powered up to ensure that the cluster
has a virtual master. If none exists, that device assumes the role. Devices powered up and added
to the cluster later become secondary devices. If all the devices in the virtual cluster are powered
up simultaneously, the device with the highest priority setting becomes the virtual cluster master.
If two or more devices in the virtual cluster are powered up simultaneously, and both have the
highest priority setting, the one with the lowest IP address becomes the virtual cluster master.
Step 8 Specify the name or IP address of the public interface for this device.
Step 9 Specify the name or IP address of the private interface for this device.
Step 10 Check the Send FQDN to client instead of an IP address when redirecting check box to have the VPN
cluster master send a fully qualified domain name using the host and domain name of the cluster device
instead of the outside IP address when redirecting VPN client connections to that cluster device.
3-25
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
Step 11 Click Next. Review your configuration in the Summary screen.
Step 12 Click Finish.
The VPN cluster load balancing configuration is sent to the ASA.
Configuring Load Balancing (Without the Wizard)
The Load Balancing pane (Configuration > Remote Access VPN > Load Balancing) lets you enable load
balancing on the ASA. Enabling load balancing involves:
Configuring the load-balancing cluster by establishing a common virtual cluster IP address, UDP
port (if necessary), and IPsec shared secret for the cluster. These values are identical for every device
in the cluster.
Configuring the participating device by enabling load balancing on the device and defining
device-specific properties. These values vary from device to device.
Prerequisite
For clients with IPv6 addresses to successfully connect to the ASAs public-facing IPv4 address, a
device that can perform network address translation from IPv6 to IPv4 needs to be in the network.
If you are using encryption, you must configure the load balancing inside interface. If that interface
is not enabled on the load balancing inside interface, an error message appears when you try to
configure cluster encryption.
Step 1 Select Configuration > Remote Access VPN > Load Balancing.
Step 2 Check Participate in Load Balancing to indicate that this ASA is a participant in the load-balancing
cluster
You must enable load balancing in this way on every ASA participating in load balancing.
Step 3 Configure the following fields in the VPN Cluster Configuration area. These values must be the same
for the entire virtual cluster. All servers in the cluster must have an identical cluster configuration.
Cluster IPv4 Address—Specifies the single IPv4 address that represents the entire IPv4 virtual
cluster. Choose an IP address that is within the public subnet address range shared by all the ASAs
in the virtual cluster.
UDP Port—Specifies the UDP port for the virtual cluster in which this device is participating.
The default value is 9023. If another application is using this port, enter the UDP destination
port number you want to use for load balancing.
Cluster IPv6 Address—Specifies the single IPv6 address that represents the entire IPv6 virtual
cluster. Choose an IP address that is within the public subnet address range shared by all the ASAs
in the virtual cluster. Clients with IPv6 addresses can make AnyConnect connections through the
ASA cluster’s public-facing IPv6 address or through a GSS server. Likewise, clients with IPv6
addresses can make AnyConnect VPN connections through the ASA cluster’s public-facing IPv4
address or through a GSS server. Either type of connection can be load-balanced within the ASA
cluster.
3-26
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Load Balancing
Note In the Cluster IPv4 Address and Cluster IPv6 Address fields, you can also specify the fully
qualified domain name of the virtual cluster, provided that you have a DNS server group
configured with at least one DNS server, and DNS lookup is enabled on one of the ASAs
interfaces.
Enable IPsec Encryption—Enables or disables IPsec encryption. If you check this box, you must
also specify and verify a shared secret. The ASAs in the virtual cluster communicate via
LAN-to-LAN tunnels using IPsec. To ensure that all load-balancing information communicated
between the devices is encrypted, check this box.
IPsec Shared Secret—Specifies the shared secret between IPsec peers when you have enabled
IPsec encryption. The value you enter in the box appears as consecutive asterisk characters.
Verify Secret—Re-enter the shared secret. Confirms the shared secret value entered in the IPsec
Shared Secret box.
Step 4 Configure the fields in the VPN Server Configuration area for a specific ASA:
Public Interface—Specifies the name or IP address of the public interface for this device.
Private Interface—Specifies the name or IP address of the private interface for this device.
Priority—Specifies the priority assigned to this device within the cluster. The range is from 1 to 10.
The priority indicates the likelihood of this device becoming the virtual cluster master, either at
start-up or when an existing master fails. The higher you set the priority (for example, 10), the more
likely this device becomes the virtual cluster master.
Note If the devices in the virtual cluster are powered up at different times, the first device to be
powered up assumes the role of virtual cluster master. Because every virtual cluster requires a
master, each device in the virtual cluster checks when it is powered-up to ensure that the cluster
has a virtual master. If none exists, that device takes on the role. Devices powered up and added
to the cluster later become backup devices. If all the devices in the virtual cluster are powered
up simultaneously, the device with the highest priority setting becomes the virtual cluster master.
If two or more devices in the virtual cluster are powered up simultaneously, and both have the
highest priority setting, the one with the lowest IP address becomes the virtual cluster master.
NAT Assigned IPv4 Address—Specifies the IP address that this device’s IP address is translated to
by NAT. If NAT is not being used (or if the device is not behind a firewall using NAT), leave the field
blank.
NAT Assigned IPv6 Address—Specifies the IP address that this device’s IP address is translated to
by NAT. If NAT is not being used (or if the device is not behind a firewall using NAT), leave the field
blank.
Send FQDN to client—Check this check box to cause the VPN cluster master to send a fully
qualified domain name using the host and domain name of the cluster device instead of the outside
IP address when redirecting VPN client connections to that cluster device.
By default, the ASA sends only IP addresses in load-balancing redirection to a client. If certificates
are in use that are based on DNS names, the certificates will be invalid when redirected to a backup
device.
As a VPN cluster master, this ASA can send a fully qualified domain name (FQDN), using reverse
DNS lookup, of a cluster device (another ASA in the cluster), instead of its outside IP address, when
redirecting VPN client connections to that cluster device.
3-27
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Setting Global NAC Parameters
All of the outside and inside network interfaces on the load-balancing devices in a cluster must be
on the same IP network.
Note When using IPv6 and sending FQDNS down to client, those names must be resolvable by
the ASA via DNS.
Enable Clientless SSL VPN Load Balancing Using FQDNs
Step 1 Enable the use of FQDNs for Load Balancing by checking the Send FQDN to client instead of an IP
address when redirecting checkbox.
Step 2 Add an entry for each of your ASA outside interfaces into your DNS server, if such entries are not
already present. Each ASA outside IP address should have a DNS entry associated with it for lookups.
These DNS entries must also be enabled for Reverse Lookup.
Step 3 Enable DNS lookups on your ASA on the dialog box Configuration > Device Management > DNS >
DNS Client for whichever interface has a route to your DNS server.
Step 4 Define your DNS server IP address on the ASA. To do this, click Add on this dialog box. This opens the
Add DNS Server Group dialog box. Enter the IPv4 or IPv6 address of the DNS server you want to add;
for example, 192.168.1.1 or 2001:DB8:2000::1.
Step 5 Click OK and Apply.
Setting Global NAC Parameters
The ASA uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate
the posture of remote hosts. Posture validation involves checking a remote host for compliancy with
safety requirements before the assignment of a network access policy. An Access Control Server must
be configured for Network Admission Control before you configure NAC on the ASA.
Fields
The NAC pane lets you set attributes that apply to all NAC communications. The following global
attributes at the top of the pane apply to EAPoUDP messaging between the ASA and remote hosts:
Port—Port number for EAP over UDP communication with the Cisco Trust Agent (CTA) on the
host. This number must match the port number configured on the CTA. Enter a value in the range
1024 to 65535. The default setting is 21862.
Retry if no response—Number of times the ASA resends an EAP over UDP message. This attribute
limits the number of consecutive retries sent in response to Rechallenge Interval expirations. The
setting is in seconds. Enter a value in the range 1 to 3. The default setting is 3.
Rechallenge Interval—The ASA starts this timer when it sends an EAPoUDP message to the host.
A response from the host clears the timer. If the timer expires before the ASA receives a response,
it resends the message. The setting is in seconds. Enter a value in the range 1 to 60. The default
setting is 3.
3-28
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Network Admission Control Policies
Wait before new PV Session—The ASA starts this timer when it places the NAC session for a remote
host into a hold state. It places a session in a hold state if it does not receive a response after sending
EAPoUDP messages equal to the value of the “Retry if no response” setting. The ASA also starts
this timer after it receives an Access Reject message from the ACS server. When the timer expires,
the ASA tries to initiate a new EAP over UDP association with the remote host. The setting is in
seconds. Enter a value in the range 60 to 86400. The default setting is 180.
The Clientless Authentication area of the NAC pane lets you configure settings for hosts that are not
responsive to the EAPoUDP requests. Hosts for which there is no CTA running do not respond to these
requests.
Enable clientless authentication—Click to enable clientless authentication. The ASA sends the
configured clientless username and password to the Access Control Server in the form of a user
authentication request. The ACS in turn requests the access policy for clientless hosts. If you leave
this attribute blank, the ASA applies the default ACL for clientless hosts.
Clientless Username—Username configured for clientless hosts on the ACS. The default setting is
clientless. Enter 1 to 64 ASCII characters, excluding leading and trailing spaces, pound signs (#),
question marks (?), single and double quotation marks (“ ” and "), asterisks (*), and angle brackets
(< and >).
Password—Password configured for clientless hosts on the ACS. The default setting is clientless.
Enter 4 – 32 ASCII characters.
Confirm Password—Password configured for clientless hosts on the ACS repeated for validation.
Enable Audit—Click to pass the IP address of the client to an optional audit server if the client does
not respond to a posture validation request. The audit server, such as a Trend server, uses the host
IP address to challenge the host directly to assess its health. For example, it may challenge the host
to determine whether its virus checking software is active and up-to-date. After the audit server
completes its interaction with the remote host, it passes a token to the posture validation server,
indicating the health of the remote host.
None—Click to disable clientless authentication and audit services.
Configuring Network Admission Control Policies
The NAC Policies table displays the Network Admission Control (NAC) policies configured on the ASA.
To add, change, or remove a NAC policy, do one of the following:
To add a NAC policy, choose Add. The Add NAC Framework Policy dialog box opens.
To change a NAC policy, double-click it, or select it and click Edit. The Edit NAC Framework Policy
dialog box opens.
To remove a NAC policy, select it and click Delete.
The following sections describe NAC, its requirements, and how to assign values to the policy attributes:
About NAC
Uses, Requirements, and Limitations
Fields
What to Do Next
3-29
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Network Admission Control Policies
About NAC
NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue
applications by performing endpoint compliance and vulnerability checks as a condition for production
access to the network. We refer to these checks as posture validation. You can configure posture
validation to ensure that the anti-virus files, personal firewall rules, or intrusion protection software on
a host with an AnyConnect or Clientless SSL VPN session are up-to-date before providing access to
vulnerable hosts on the intranet. Posture validation can include the verification that the applications
running on the remote hosts are updated with the latest patches. NAC occurs only after user
authentication and the setup of the tunnel. NAC is especially useful for protecting the enterprise network
from hosts that are not subject to automatic network policy enforcement, such as home PCs.
The establishment of a tunnel between the endpoint and the ASA triggers posture validation.
You can configure the ASA to pass the IP address of the client to an optional audit server if the client
does not respond to a posture validation request. The audit server, such as a Trend server, uses the host
IP address to challenge the host directly to assess its health. For example, it may challenge the host to
determine whether its virus checking software is active and up-to-date. After the audit server completes
its interaction with the remote host, it passes a token to the posture validation server, indicating the
health of the remote host.
Following successful posture validation or the reception of a token indicating the remote host is healthy,
the posture validation server sends a network access policy to the ASA for application to the traffic on
the tunnel.
In a NAC Framework configuration involving the ASA, only a Cisco Trust Agent running on the client
can fulfill the role of posture agent, and only a Cisco Access Control Server (ACS) can fulfill the role of
posture validation server. The ACS uses dynamic ACLs to determine the access policy for each client.
As a RADIUS server, the ACS can authenticate the login credentials required to establish a tunnel, in
addition to fulfilling its role as posture validation server.
Note Only a NAC Framework policy configured on the ASA supports the use of an audit server.
In its role as posture validation server, the ACS uses access control lists. If posture validation succeeds
and the ACS specifies a redirect URL as part of the access policy it sends to the ASA, the ASA redirects
all HTTP and HTTPS requests from the remote host to the redirect URL. Once the posture validation
server uploads an access policy to the ASA, all of the associated traffic must pass both the Security
Appliance and the ACS (or vice versa) to reach its destination.
The establishment of a tunnel between a remote host and the ASA triggers posture validation if a NAC
Framework policy is assigned to the group policy. The NAC Framework policy can, however, identify
operating systems that are exempt from posture validation and specify an optional ACL to filter such
traffic.
Uses, Requirements, and Limitations
When configured to support NAC, the ASA functions as a client of a Cisco Secure Access Control
Server, requiring that you install a minimum of one Access Control Server on the network to provide
NAC authentication services.
Following the configuration of one or more Access Control Servers on the network, you must register
the Access Control Server group, using the Configuration > Remote Access VPN > Clientless SSL
VPN Access > Group Policies > Add or Edit External menu option. Then add the NAC policy.
ASA support for NAC Framework is limited to remote access IPsec and Clientless SSL VPN sessions.
The NAC Framework configuration supports only single mode.
3-30
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Network Admission Control Policies
NAC on the ASA does not support Layer 3 (non-VPN) and IPv6 traffic.
Fields
Policy Name—Enter a string of up to 64 characters to name the new NAC policy.
Following the configuration of the NAC policy, the policy name appears next to the NAC Policy
attribute in the Network (Client) Access group policies. Assign a name that will help you to
distinguish its attributes or purpose from others that you may configure.
Status Query Period—The ASA starts this timer after each successful posture validation and status
query response. The expiration of this timer triggers a query for changes in the host posture, referred
to as a status query. Enter the number of seconds in the range 30 to 1800. The default setting is 300.
Revalidation Period—The ASA starts this timer after each successful posture validation. The
expiration of this timer triggers the next unconditional posture validation. The ASA maintains
posture validation during revalidation. The default group policy becomes effective if the Access
Control Server is unavailable during posture validation or revalidation. Enter the interval in seconds
between each successful posture validation. The range is 300 to 86400. The default setting is 36000.
Default ACL— (Optional) The ASA applies the security policy associated with the selected ACL if
posture validation fails. Select None or select an extended ACL in the list. The default setting is
None. If the setting is None and posture validation fails, the ASA applies the default group policy.
Use the Manage button to populate the drop-down list and view the configuration of the ACLs in the
list.
Manage— Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard
ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs.
Authentication Server Group—Specifies the authentication server group to use for posture
validation. The drop-down list next to this attribute displays the names of all server groups of type
RADIUS configured on this ASA that are available for remote access tunnels. Select an ACS group
consisting of at least one server configured to support NAC.
Posture Validation Exception List—Displays one or more attributes that exempt remote computers
from posture validation. At minimum, each entry lists the operating system and an Enabled setting
of Yes or No. An optional filter identifies an ACL used to match additional attributes of the remote
computer. An entry that consists of an operating system and a filter requires the remote computer to
match both to be exempt from posture validation. The ASA ignores the entry if the Enabled setting
is set to No.
Add—Adds an entry to the Posture Validation Exception list.
Edit—Modifies an entry in the Posture Validation Exception list.
Delete—Removes an entry from the Posture Validation Exception list.
What to Do Next
Following the configuration of the NAC policy, you must assign it to a group policy for it to become
active. To do so, choose Configuration > Remote Access VPN> Network (Client) Access > Group
Policies > Add or Edit > General > More Options and the NAC policy name from the drop-down list
next to the NAC Policy attribute.
Add/Edit Posture Validation Exception
The Add/Edit Posture Validation Exception dialog pane lets you exempt remote computers from posture
validation, based on their operating system and other optional attributes that match a filter.
3-31
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Network Admission Control Policies
Operating System—Choose the operating system of the remote computer. If the computer is running
this operating system, it is exempt from posture validation. The default setting is blank.
Enable—The ASA checks the remote computer for the attribute settings displayed in this pane only
if you check Enabled. Otherwise, it ignores the attribute settings. The default setting is unchecked.
Filter— (Optional) Use to apply an ACL to filter the traffic if the operating system of the computer
matches the value of the Operating System attribute.
Manage— Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard
ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs. Use
this button to populate the list next to the Filter attribute.
3-32
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 3 Configuring IKE, Load Balancing, and NAC
Configuring Network Admission Control Policies
CHAPTER
4-1
Cisco ASA Series VPN ASDM Configuration Guide
4
General VPN Setup
A virtual private network is a network of virtual circuits that carry private traffic over a public network
such as the Internet. VPNs can connect two or more LANS, or remote users to a LAN. VPNs provide
privacy and security by requiring all users to authenticate and by encrypting all data traffic.
AnyConnect Customization/Localization, page 4-1
Default Tunnel Gateway, page 4-6
Group Policies, page 4-7
Access Control List Manager, page 4-36
Configuring AnyConnect VPN Client Connections, page 4-48
Configuring AnyConnect VPN Connections, page 4-57
Configuring AnyConnect Secure Mobility, page 4-69
IPsec Remote Access Connection Profiles, page 4-78
Add or Edit an IPsec Remote Access Connection Profile, page 4-79
Mapping Certificates to IPsec or SSL VPN Connection Profiles, page 4-80
System Options, page 4-107
Zone Labs Integrity Server, page 4-108
Easy VPN Remote, page 4-109
Advanced Easy VPN Properties, page 4-111
AnyConnect Essentials, page 4-113
Configuring AnyConnect Host Scan, page 4-115
Configuring Maximum VPN Sessions, page 4-122
Configuring the Pool of Cryptographic Cores, page 4-122
AnyConnect Customization/Localization
You can customize the AnyConnect VPN client to display your own corporate image to remote users,
including clients running on Windows, Linux, and Mac OS X computers. The following ASDM screens
under AnyConnect Customization/Localization allow you to import the following types of customized
files:
Resources—Modified GUI icons for the AnyConnect client.
4-2
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
AnyConnect Customization/Localization
Binary—Executable files to replace the AnyConnect installer. This includes GUI files, plus the
VPN client profile, scripts and other client files.
Script—Scripts that will run before or after AnyConnect makes a VPN connection.
GUI Text and Messages—Titles and messages used by the AnyConnect client.
Customized Installer—Transforms that modify the client installation.
Localized Installer—Transforms Transforms that change the language used by the client.
Each dialog provides the following actions:
Import launches the Import AnyConnect Customization Objects dialog, where you can specify a
file to import as an object.
Export launches the Export AnyConnect Customization Objects dialog, where you can specify a file
to export as an object.
Delete removes the selected object.
Restrictions
Customization is not supported for the AnyConnect client running on a Windows Mobile device.
AnyConnect Customization/Localization > Resources
The filenames of the custom components that you import must match the filenames used by the
AnyConnect GUI, which are different for each operating system and are case sensitive for Mac and
Linux. For example, if you want to replace the corporate logo for Windows clients, you must import your
corporate logo as company_logo.png. If you import it as a different filename, the AnyConnect installer
does not change the component. However, if you deploy your own executable to customize the GUI, the
executable can call resource files using any filename.
If you import an image as a resource file (such as company_logo.bmp), the image you import customizes
AnyConnect until you reimport another image using the same filename. For example, if you replace
company_logo.bmp with a custom image, and then delete the image, the client continues to display your
image until you import a new image (or the original Cisco logo image) using the same filename.
AnyConnect Customization/Localization > Binary and Script
The same link is used in ASDM for both Binary and Script, so share this link for now, and submit a defect
against ASDM to have them add another link.
AnyConnect Customization/Localization > Binary
For Windows, Linux, or Mac (PowerPC or Intel-based) computers, you can deploy your own client that
uses the AnyConnect client API. You replace the AnyConnect GUI and the AnyConnect CLI by
replacing the client binary files.
Fields for the Import dialog:
Name Enter the name of the AnyConnect file that you are replacing.
Platform Select the OS platform that your file runs on.
Select a file The filename name does not need to be the same as the name of the imported file.
4-3
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
AnyConnect Customization/Localization
AnyConnect Customization/Localization > Script
For complete information about deploying scripts, and their limitations and restrictions, see the
AnyConnect VPN Client Administrators Guide.
Fields for the Import dialog:
Name—Enter a name for the script. Be sure to specify the correct extension with the name. For
example, myscript.bat.
Script Type—Choose when to run the script.
AnyConnect adds the prefix scripts_ and the prefix OnConnect or OnDisconnect to your filename
to identify the file as a script on the ASA. When the client connects, the ASA downloads the script
to the proper target directory on the remote computer, removing the scripts_ prefix and leaving the
remaining OnConnect or OnDisconnect prefix. For example, if you import the script myscript.bat,
the script appears on the ASA as scripts_OnConnect_myscript.bat. On the remote computer, the
script appears as OnConnect_myscript.bat.
To ensure the scripts run reliably, configure all ASAs to deploy the same scripts. If you want to
modify or replace a script, use the same name as the previous version and assign the replacement
script to all of the ASAs that the users might connect to. When the user connects, the new script
overwrites the one with the same name.
Platform—Select the OS platform that your file runs on.
Select a file—The filename name does not need to be the same as the name you provided for the
script.
ASDM imports the file from any source file, creating the new name you specify for Name in Step 3.
AnyConnect Customization/Localization > GUI Text and Messages
You can edit the default translation table, or create new ones, to change the text and messages displayed
on the AnyConnect client GUI . This pane also shares functionality with the Language Localization
pane. For more extensive language translation, go to Configuration > Remote Access VPN > Language
Localization.
In addition to the usual buttons on the top toolbar, this pane also has an Add button, and a Template area
with extra buttons.
Add—The Add button opens a copy of the default translation table, which you can edit directly, or save.
You can select the language of the saved file, and edit the language of the text inside the file later.
When you customize messages in the translation table, do not change msgid, change the text in
msgstr.
Specify a language for the template. The template becomes a translation table in cache memory with
the name you specify. Use an abbreviation that is compatible with the language options for your
browser. For example, if you are creating a table for the Chinese language, and you are using IE, use
the abbreviation zh, that is recognized by IE.
Template Section
Click Template to expand the template area, which provides access to the default English translation
table.
Click View to view, and optionally save, the default English translation table
Click Export to save a copy of the default English translation table without looking at it.
4-4
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Client Software
AnyConnect Customization/Localization > Customized Installer Transforms
You can perform more extensive customizing of the AnyConnect client GUI (Windows only) by creating
your own transform that deploys with the client installer program. You import the transform to the ASA,
which deploys it with the installer program.
Windows is the only valid choice for applying a transform. For more information about transforms, see
the AnyConnect Administration Guide.
AnyConnect Customization/Localization > Localized Installer Transforms
You can translate messages displayed by the client installer program with a transform. The transform
alters the installation, but leaves the original security-signed MSI intact. These transforms only translate
the installer screens and do not translate the client GUI screens.
Client Software
Configuration > VPN > General > Client Update
The Client Software pane lets administrators at a central location do the following actions:
Enable client update; specify the types and revision numbers of clients to which the update applies.
Provide a URL or IP address from which to get the update.
In the case of Windows clients, optionally notify users that they should update their VPN client
version.
Note The Client Update function in Configuration > Remote Access VPN > Network (Client) Access >
Advanced > IPsec > Upload Software > Client Software applies only to the IPsec VPN client, (For
Windows, MAC OS X, and Linux), and the VPN 3002 hardware client. It does not apply to the Cisco
AnyConnect VPN clients, which is updated by the ASA automatically when it connects.
For the IPsec VPN client, you can provide a mechanism for users to accomplish that update. For VPN
3002 hardware client users, the update occurs automatically, with no notification. You can apply client
updates only to the IPsec remote-access tunnel-group type.
Note If you try to do a client update to an IPsec Site-to-Site IPsec connection or a Clientless VPN IPsec
connection, you do not receive an error message, but no update notification or client update goes to those
types of IPsec connections.
To enable client update globally for all clients of a particular client type, use this dialog box. You can
also notify all Windows, MAC OS X, and Linux clients that an upgrade is needed and initiate an upgrade
on all VPN 3002 hardware clients from this dialog box. To configure the client revisions to which the
update applies and the URL or IP address from which to download the update, click Edit.
To configure client update revisions and software update sources for a specific tunnel group, choose
Configuration > Remote Access VPN > Network (Client) Access > IPsec > Add/Edit > Advanced >
IPsec > Client Software Update.
4-5
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Client Software
Fields
Enable Client Update—Enables or disables client update, both globally and for specific tunnel
groups. You must enable client update before you can send a client update notification to Windows,
MAC OS X, and Linux VPN clients, or initiate an automatic update to hardware clients.
Client Type—Lists the clients to upgrade: software or hardware, and for Windows software clients,
all Windows or a subset. If you click All Windows Based, do not specify Windows 95, 98 or ME and
Windows NT, 2000 or XP individually. The hardware client gets updated with a release of the ASA
5505 software or of the VPN 3002 hardware client.
VPN Client Revisions—Contains a comma-separated list of software image revisions appropriate
for this client. If the user client revision number matches one of the specified revision numbers, there
is no need to update the client, and, for Windows-based clients, the user does not receive an update
notification. The following caveats apply:
The revision list must include the software version for this update.
Your entries must match exactly those on the URL for the VPN client, or the TFTP server for
the hardware client.
The TFTP server for distributing the hardware client image must be a robust TFTP server.
A VPN client user must download an appropriate software version from the listed URL.
The VPN 3002 hardware client software is automatically updated via TFTP, with no notification
to the user.
Image URL—Contains the URL or IP address from which to download the software image. This
URL must point to a file appropriate for this client. For Windows, MAC OS X, and Linux-based
clients, the URL must be in the form: http:// or https://. For hardware clients, the URL must be in
the form tftp://.
For Windows, MAC OS X, and Linux-based VPN clients: To activate the Launch button on the
VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server
address of the site that contains the update. The format of the URL is:
http(s)://server_address:port/directory/filename. The server address can be either an IP address
or a hostname if you have configured a DNS server. For example:
http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe
The directory is optional. You need the port number only if you use ports other than 80 for HTTP
or 443 for HTTPS.
For the hardware client: The format of the URL is tftp://server_address/directory/filename. The
server address can be either an IP address or a hostname if you have configured a DNS server.
For example:
tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin
Edit—Opens the Edit Client Update Entry dialog box, which lets you configure or change client
update parameters. See Edit Client Update Entry.
Live Client Update—Sends an upgrade notification message to all currently connected VPN clients
or selected tunnel group(s).
Tunnel Group—Selects all or specific tunnel group(s) for updating.
Update Now—Immediately sends an upgrade notification containing a URL specifying where
to retrieve the updated software to the currently connected VPN clients in the selected tunnel
group or all connected tunnel groups. The message includes the location from which to
download the new version of software. The administrator for that VPN client can then retrieve
the new software version and update the VPN client software.
4-6
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Default Tunnel Gateway
For VPN 3002 hardware clients, the upgrade proceeds automatically, with no notification.
You must check Enable Client Update for the upgrade to work. Clients that are not connected
receive the upgrade notification or automatically upgrade the next time they log on.
Edit Client Update Entry
Configuration > VPN > General > Client Update > Edit Client Update Entry
The Edit Client Update dialog box lets you change information about VPN client revisions and URLs
for the indicated client types. The clients must be running one of the revisions specified for the indicated
client type. If not, the clients are notified that an upgrade is required.
Fields
Client Type—(Display-only) Displays the client type selected for editing.
VPN Client Revisions—Lets you type a comma-separated list of software or firmware images
appropriate for this client. If the user client revision number matches one of the specified revision
numbers, there is no need to update the client. If the client is not running a software version on the
list, an update is in order. The user of a Windows, MAC OS X, or Linux-based VPN client must
download an appropriate software version from the listed URL. The VPN 3002 hardware client
software is automatically updated via TFTP.
Image URL—Lets you type the URL for the software/firmware image. This URL must point to a
file appropriate for this client.
For a Windows, MAC OS X, or Linux-based VPN client, the URL must include the protocol
HTTP or HTTPS and the server address of the site that contains the update. The format of the
URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP
address or a hostname if you have configured a DNS server. For example:
http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe
The directory is optional. You need the port number only if you use ports other than 80 for HTTP
or 443 for HTTPS.
For the hardware client: The format of the URL is tftp://server_address/directory/filename. The
server address can be either an IP address or a hostname if you have configured a DNS server.
For example:
tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin
The directory is optional.
Default Tunnel Gateway
Configuration > VPN > General > Default Tunnel Gateway
To configure the default tunnel gateway, click the Static Route link. The Configuration > Routing >
Routing > Static Route dialog box opens.
4-7
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Group Policies
The Group Policies pane lets you manage VPN (AnyConnect or Clientless) group policies. A VPN group
policy is a collection of user-oriented attribute/value pairs stored either internally on the device or
externally on a RADIUS or LDAP server. Configuring the VPN group policy lets users inherit attributes
that you have not configured at the individual group or username level. By default, VPN users have no
group policy association. The group policy information is used by VPN tunnel groups and user accounts.
The “child” panes and dialog boxes let you configure the group parameters, including those for the
default group, DfltGrpPolicy. The default group parameters are those that are most likely to be common
across all groups and users, and they streamline the configuration task. Groups can “inherit” parameters
from this default group, and users can “inherit” parameters from their group or the default group. You
can override these parameters as you configure groups and users.
You can configure either an internal or an external group policy. An internal group policy is stored
locally, and an external group policy is stored externally on a RADIUS or LDAP server. Clicking Edit
opens a similar dialog box on which you can create a new group policy or modify an existing one.
In these dialog boxes, you configure the following kinds of parameters:
General attributes: Name, banner, address pools, protocols, filtering, and connection settings.
Servers: DNS and WINS servers, DHCP scope, and default domain name.
Advanced attributes: Split tunneling, IE browser proxy, AnyConnect client, and IPsec client.
Before configuring these parameters, you should configure:
Access hours.
Filters.
Network lists for filtering and split tunneling
User authentication servers and the internal authentication server.
You can configure these types of group policies:
Configuring External Group Policies—An external group policy points the ASA to the RADIUS or
LDAP server to retrieve much of the policy information that would otherwise be configured in an
internal group policy. External group policies are configured the same way for Network (Client)
Access VPN connections, Clientless SSL VPN connections, and Site-to-Site VPN connections.
Configuring Network (Client) Access Internal Group Policies—These connections are initiated by
a VPN client installed on the endpoint. The AnyConnect Secure Mobility Client and Cisco VPN
IPsec client are examples of VPN clients. After the VPN client is authenticated, remote users can
access corporate networks or applications as if they were on-site. The data traffic between remote
users and the corporate network is secured by being encrypted when going through the Internet.
Configuring Clientless SSL VPN Internal Group Policies—This is also known as browser-based
VPN access. On successful login to the ASAs portal page, remote users can access corporate
networks and applications from the links shown in the web pages. The data traffic between remote
users and the corporate network is secured by traveling through SSL tunnel.
Configuring Site-to-Site Internal Group Policies
Group Policy Pane Fields
Lists the currently configured group policies and Add, Edit, and Delete buttons to help you manage VPN
group policies.
4-8
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Add—Offers a drop-down menu on which you can select whether to add an internal or an external
group policy. If you simply click Add, then by default, you create an internal group policy. Clicking
Add opens the Add Internal Group Policy dialog box or the Add External Group Policy dialog box,
which let you add a new group policy to the list. This dialog box includes three menu sections. Click
each menu item to display its parameters. As you move from item to item, ASDM retains your
settings. When you have finished setting parameters on all menu sections, click Apply or Cancel.
Offers a drop-down menu from which you can select whether to add an internal or an external group
policy. If you simply click Add, then by default, you create an internal group policy.
Edit—Displays the Edit Group Policy dialog box, which lets you modify an existing group policy.
Delete—Lets you remove a AAA group policy from the list. There is no confirmation or undo.
Assign—Lets you assign a group policy to one ore more connection profiles.
Name—Lists the name of the currently configured group policies.
Type—Lists the type of each currently configured group policy.
Tunneling Protocol—Lists the tunneling protocol that each currently configured group policy uses.
Connection Profiles/Users Assigned to—Lists the connection profiles and users configured directly
on the ASA that are associated with this group policy.
Configuring External Group Policies
An external group policy points the ASA to the RADIUS or LDAP server to retrieve much of the policy
information that would otherwise be configured in an internal group policy. External group policies are
configured the same way for Network (Client) Access VPN connections, Clientless SSL VPN
connections, and Site-to-Site VPN connections.
External group policies take their attribute values from the external server that you specify. For an
external group policy, you must identify the RADIUS or LDAP server group that the ASA can query for
attributes and specify the password to use when retrieving attributes from that external server group. If
you are using an external authentication server, and if your external group-policy attributes exist in the
same RADIUS server as the users that you plan to authenticate, you have to make sure that there is no
name duplication between them.
Note External group names on the ASA refer to user names on the RADIUS server. In other words, if you
configure external group X on the ASA, the RADIUS server sees the query as an authentication request
for user X. So external groups are really just user accounts on the RADIUS server that have special
meaning to the ASA. If your external group attributes exist in the same RADIUS server as the users that
you plan to authenticate, there must be no name duplication between them.
The ASA supports user authorization on an external LDAP or RADIUS server. Before you configure the
ASA to use an external server, you must configure the server with the correct ASA authorization
attributes and, from a subset of these attributes, assign specific permissions to individual users. Follow
the instructions in Appendix 13, “Configuring an External Server for Authorization and Authentication”
to configure your external server.
Fields
Name—Identifies the group policy to be added or changed. For Edit External Group Policy, this field
is display-only.
Server Group—Lists the available server groups to which to apply this policy.
4-9
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
New—Opens a dialog box that lets you select whether to create a new RADIUS server group or a
new LDAP server group. Either of these options opens the Add AAA Server Group dialog box.
Password—Specifies the password for this server group policy.
Adding an LDAP or RADIUS Server to a Network (Client) Access External Group Policy
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit >
Add or Edit External Group Policy > New > RADIUS Server Group/New LDAP Server Group >
Add AAA Server Group
The Add AAA Server Group dialog box lets you configure a new AAA server group. The Accounting
Mode attribute applies only to RADIUS and TACACS+ protocols.
Fields
Server Group—Specifies the name of the server group.
Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group.
Accounting Mode—Indicates whether to use simultaneous or single accounting mode. In single
mode, the ASA sends accounting data to only one server. In simultaneous mode, the ASA sends
accounting data to all servers in the group. The Accounting Mode attribute applies only to RADIUS
and TACACS+ protocols.
Reactivation Mode—Specifies the method by which failed servers are reactivated: Depletion or
Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the
servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds
of down time.
Dead Time—Specifies, for depletion mode, the number of minutes (0 through 1440) that must elapse
between the disabling of the last server in the group and the subsequent re-enabling of all servers.
The default value is 10 minutes. This field is not available for timed mode.
Max Failed Attempts— Specifies the number (an integer in the range 1 through 5) of failed
connection attempts allowed before declaring a nonresponsive server inactive. The default value is
3 attempts.
Configuring Network (Client) Access Internal Group Policies
Configure Network (Client) Access internal group policies for VPN connections made from AnyConnect
Secure Mobility Clients or legacy Cisco IPsec VPN clients installed on an endpoint.
Configuring General Attributes for an Internal Group Policy
The Add or Edit Group Policy dialog box lets you specify tunneling protocols, filters, connection
settings, and servers for the group policy being added or modified. For each of the fields on this dialog
box, checking the Inherit check box lets the corresponding setting take its value from the default group
policy. Inherit is the default value for all of the attributes in this dialog box.
You can configure the general attributes of an internal group policy by starting ASDM and selecting
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add or Edit
Internal Group Policy > General.
4-10
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Fields
The following attributes appear in the Add Internal Group Policy > General dialog box. They apply to
SSL VPN and IPsec sessions. Thus, some attributes are present for one type of session, but not the other.
Name—Specifies the name of this group policy up to 64 characters; spaces are allowed. For the Edit
function, this field is read-only.
Banner—Specifies the banner text to present to users at login. The length can be up to 491
characters. There is no default value.
The IPsec VPN client supports full HTML for the banner. However, the clientless portal and the
AnyConnect client support partial HTML. To ensure the banner displays properly to remote users,
follow these guidelines:
For IPsec client users, use the /n tag.
For AnyConnect client users, use the <BR> tag.
SCEP forwarding URL—Address of the CA, required when SCEP Proxy is configured in the client
profile.
Address Pools—Specifies the name of one or more IPv4 address pools to use for this group policy.
If the Inherit check box is checked, the group policy will use the IPv4 address pool specified in the
Default Group Policy. See Configuring Local IP Address Pools, page 5-3 for information on adding
or editing an IPv4 address pool.
Select—Uncheck the Inherit checkbox to activate the Select command button. Click Select to open
the Address Pools dialog box, which shows the pool name, starting and ending addresses, and subnet
mask of address pools available for client address assignment and lets you select, add, edit, delete,
and assign entries from that list.
IPv6 Address Pools—Specifies the name of one or more IPv6 address pools to use for this group
policy.
Select—Uncheck the Inherit checkbox to activate the Select command button. Click Select to open
the Select Address Pools dialog box, as previously described. See Configuring Local IP Address
Pools, page 5-3 for information on adding or editing an IPv6 address pool.
Note You can specify both an IPv4 and an IPv6 address pool for an internal group policy.
More Options—Click the down arrows at the right of the field to display additional configurable
options for this group policy.
Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only
the selected protocols. The choices are as follows:
Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to
establish a secure remote-access tunnel to an ASA; requires neither a software nor hardware
client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources,
including corporate websites, web-enabled applications, NT/AD file share (web-enabled),
e-mail, and other TCP-based applications from almost any computer that can reach HTTPS
Internet sites.
SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL
VPN client. If you are using the AnyConnect client, you must choose this protocol for Mobile
User Security (MUS) to be supported.
IPsec IKEv1—IP Security Protocol. Regarded as the most secure protocol, IPsec provides the
most complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and
Cisco VPN client-to-LAN connections can use IPsec IKEv1.
4-11
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
IPsec IKEv2—Supported by the AnyConnect Secure Mobility Client. AnyConnect connections
using IPsec with IKEv2 provide advanced features such as software updates, client profiles,
GUI localization (translation) and customization, Cisco Secure Desktop, and SCEP proxy.
L2TP over IPsec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPsec transport mode.
Filter—Specifies which unified access control list to use for an IPv4 or an IPv6 connection, or
whether to inherit the value from the group policy. Filters consist of rules that determine whether to
allow or reject tunneled data packets coming through the ASA, based on criteria such as source
address, destination address, and protocol. To configure filters and rules, see the ACL Manager
dialog box.
Manage—Displays the ACL Manager dialog box, with which you can add, edit, and delete Access
Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the
ACL Manager, see the online Help for that dialog box.
NAC Policy—Selects the name of a Network Admission Control policy to apply to this group policy.
You can assign an optional NAC policy to each group policy. The default value is --None--.
Manage—Opens the Configure NAC Policy dialog box. After configuring one or more NAC
policies, the NAC policy names appear as options in the drop-down list next to the NAC Policy
attribute.
Access Hours—Selects the name of an existing access hours policy, if any, applied to this user or
create a new access hours policy. The default value is Inherit, or, if the Inherit check box is not
checked, the default value is --Unrestricted--.
Manage—Opens the Browse Time Range dialog box, in which you can add, edit, or delete a time
range. See Defining Time Ranges, page 4-35 for more information.
Simultaneous Logins—Specifies the maximum number of simultaneous logins allowed for this user.
The default value is 3. The minimum value is 0, which disables login and prevents user access.
Note While there is no maximum limit, allowing several simultaneous connections might
compromise security and affect performance.
Restrict Access to VLAN—(Optional) Also called “VLAN mapping,” this parameter specifies the
egress VLAN interface for sessions to which this group policy applies. The ASA forwards all traffic
from this group to the selected VLAN. Use this attribute to assign a VLAN to the group policy to
simplify access control. Assigning a value to this attribute is an alternative to using ACLs to filter
traffic on a session. In addition to the default value (Unrestricted), the drop-down list shows only
the VLANs that are configured on this ASA.
Note This feature works for HTTP connections, but not for FTP and CIFS.
Connection Profile (Tunnel Group) Lock—This parameter permits remote VPN access only with the
selected connection profile (tunnel group), and prevents access with a different connection profile.
The default inherited value is None.
Maximum Connect Time—If the Inherit check box is not checked, this parameter specifies the
maximum user connection time in minutes. At the end of this time, the system terminates the
connection. The minimum is 1 minute, and the maximum is 35791394 minutes (over 4000 years,
should we be so lucky). To allow unlimited connection time, check Unlimited (the default).
4-12
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Idle Timeout—If the Inherit check box is not checked, this parameter specifies this user’s idle
timeout period in minutes. If there is no communication activity on the user connection in this
period, the system terminates the connection. The minimum time is 1 minute, and the maximum time
is 10080 minutes. The default is 30 minutes. To allow unlimited connection time, check Unlimited.
This value does not apply to Clientless SSL VPN users.
On smart card removal—With the default option, Disconnect, the client tears down the connection
if the smart card used for authentication is removed. Click Keep the connection if you do not want
to require users to keep their smart cards in the computer for the duration of the connection.
Smart card removal configuration only works on Microsoft Windows using RSA smart cards.
Configuring Server Attributes for an Internal Group Policy
Configure DNS servers, WINS servers and DHCP Scope in the Group Policy > Servers window. DNS
and WINS servers are applied to full-tunnel clients (IPsec, AnyConnect, SVC, L2TP/IPsec) only and are
used for name resolution. DHCP scope is used when DHCP-address assignment is in place.
Configuring a DNS Server for an Internal Group Policy
Use this procedure to configure a specific DNS server for a group policy.
Note This setting overrides the DNS setting configured on the ASDM in the Configuration > Remote Access
VPN > DNS window.
Step 1 Select Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit
> Servers.
Step 2 Unless you are editing the DefaultGroupPolicy, uncheck the DNS Servers Inherit checkbox.
Step 3 In the DNS Servers field, add the IPv4 or IPv6 addresses of the DNS servers you want this group to use.
If you specify more than one DNS server, the remote access client will attempt to use the DNS servers
in the order you specify them in this field.
AnyConnect 3.0.4 and later supports up to 25 DNS server entries in the DNS Servers field, earlier
releases only support up to 10 DNS server entries.
Step 4 Expand the More Options area by clicking the double down arrow in the More Options bar.
Step 5 If there is no default domain specified in the Configuration > Remote Access VPN > DNS window, you
must specify the default domain in the Default Domain field. Use the domain name and top level domain
for example, example.com.
Step 6 Click OK.
Step 7 Click Apply.
Configuring WINS Servers for an Internal Group Policy
Use this procedure to configure primary and secondary WINS servers. WINS servers are applied to
full-tunnel clients (IPsec, AnyConnect, SVC, L2TP/IPsec) only and are used for name resolution. The
default value in each case is none.
4-13
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Step 1 Select Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit
> Servers.
Step 2 Uncheck the WINS Servers Inherit checkbox.
Step 3 In the WINS Servers field, enter the IP addresses of the primary and secondary WINS servers. The first
IP address you specify is that of the primary WINS server. The second (optional) IP address you specify
is that of the secondary WINS server.
Step 4 Click OK.
Configuring Split Tunneling for AnyConnect Traffic
Split tunneling directs some of the AnyConnect network traffic through the VPN tunnel (encrypted) and
other network traffic outside the VPN tunnel (unencrypted or “in the clear”).
Split tunneling is configured by creating a split tunneling policy, configuring an access control list for
that policy, and adding the split tunnel policy to a group policy. When the group policy is sent to the
client, that client will use the ACLs in the split tunneling policy to decide where to direct network traffic.
For Windows clients, firewall rules from the ASA are evaluated first, then the ones on the client. For Mac
OS X, the firewall and filter rules on the client are not used. For Linux systems, starting with
AnyConnect version 3.1.05149, you can configure AnyConnect to evaluate the client's firewall and filter
rules, by adding a custom attribute named circumvent-host-filtering to a group profile, and setting it to
true.
When you create access lists:
You can specify both IPv4 and IPv6 addresses in an access control list.
If you use a standard ACL, only one address or network is used.
If you use extended ACLs, the source network is the split-tunneling network. The destination
network is ignored.
Access lists configured with any or with a split include or exclude of 0.0.0.0/0.0.0.0 or ::/0 will not
be sent to the client. To send all traffic over the tunnel, select Tunnel All Networks for the
split-tunnel Policy.
Address 0.0.0.0/255.255.255.255 or ::/128 will be sent to the client only when the split-tunnel policy
is Exclude Network List Below. This configuration tells the client not to tunnel traffic destined for
any local subnets.
AnyConnect passes traffic to all sites specified in the split tunneling policy, and to all sites that fall
within the same subnet as the IP address assigned by the ASA. For example, if the IP address
assigned by the ASA is 10.1.1.1 with a mask of 255.0.0.0, the endpoint device passes all traffic
destined to 10.0.0.0/8, regardless of the split tunneling policy. Therefore, use a netmask for the
assigned IP address that properly references the expected local subnet.
Prerequisites
You must create an access list with ACLs and (optionally) ACEs.
If you created a split tunnel policy for IPv4 networks and another for IPv6 networks, then the
network list you specify is used for both protocols. So, the network list should contain access control
entries (ACEs) for both IPv4 and IPv6 traffic. If you have not created these ACLs, see the Adding
ACLs and ACEs” section on page 21-2 in the general operations configuration guide.
4-14
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Note Split tunneling is a traffic management feature, not a security feature. For optimum security, we
recommend that you do not enable split tunneling.
In the following procedure, in all cases where there is an Inherit checkbox next to a field, leaving the
Inherit check box checked means that the group policy you are configuring will use the same values for
that field as the default group policy. Unchecking Inherit lets you specify new values specific to your
group policy.
Step 1 Connect to the ASA using ASDM and select Configuration > Remote Access VPN > Network (Client)
Access > Group Policies.
Step 2 Click Add to add a new group policy or select an existing group policy and click Edit.
Step 3 Select Advanced > Split Tunneling.
Step 4 In the DNS Names field, enter the domain names that are to be resolved by AnyConnect via the tunnel.
These names correspond to hosts in the private network. If split-include tunneling is configured, the
network list must include the specified DNS servers. You can enter a full qualified domain name, IPv4
or IPv6 address in the field.
Step 5 To disable split tunneling, select Ye s for Send All DNS Lookups Through Tunnel. This option ensures
that DNS traffic is not leaked to the physical adapter; it disallows traffic in the clear. If DNS resolution
fails, the address remains unresolved and the AnyConnect client does not try to resolve the address
outside the VPN.
To enable split tunneling, choose No (the default). This setting tells the client send DNS queries over the
tunnel according to the split tunnel policy.
Step 6 To configure split-tunneling by unchecking the Inherit check box and choosing a split-tunneling policy.
If you do not uncheck Inherit, your group policy uses the split tunneling settings defined in the default
group policy, DfltGrpPolicy. The default split tunneling policy setting in the default group policy is to
Tunnel All Networks.
To define the split tunneling policy, chose from the drop-downs Policy and IPv6 Policy. The Policy field
defines the split tunneling policy for IPv4 network traffic. The IPv6 Policy field selects the split
tunneling policy for IPv6 network traffic. Other than that difference, these fields have the same purpose.
Unchecking Inherit allows you to choose one of these policy options:
Exclude Network List Below—Defines a list of networks to which traffic is sent in the clear. This
feature is useful for remote users who want to access devices on their local network, such as printers,
while they are connected to the corporate network through a tunnel.
Tunnel Network List BelowTunnels all traffic from or to the networks specified in the Network
List. Traffic to addresses in the include network list are tunneled. Data to all other addresses travels
in the clear and is routed by the remote user’s Internet service provider.
For versions of ASA 9.1.4 and higher, when you specify an include list, you can also specify an
exclude list that is a subnet inside the include range. Those excluded subnets will not be tunneled,
and the rest of the include list networks will be. Networks in the exclusion list that are not a subset
of the include list will be ignored by the client. For Linux, you must add a custom attribute to the
group policy to support excluded subnets.
For example:
4-15
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Note If the split-include network is an exact match of a local subnet (such as 192.168.1.0/24), the
corresponding traffic is tunneled. If the split-include network is a superset of a local subnet (such
as 192.168.0.0/16), the corresponding traffic, except the local subnet traffic, is tunneled. To also
tunnel the local subnet traffic, you must add a matching split-include network(specifying both
192.168.1.0/24 and 192.168.0.0/16 as split-include networks).
If the split-include network is invalid, such as 0.0.0.0/0.0.0.0, then split tunneling is disabled
(everything is tunneled).
Tunnel All Networks—This policy specifies that all traffic is tunneled. This, in effect, disables split
tunneling. Remote users reach Internet networks through the corporate network and do not have
access to local networks. This is the default option.
Step 7 In the Network List field, select the access control list for the split-tunneling policy. If Inherit is
checked, the group policy uses the network list specified in the default group policy.
Select the Manage command button to open the ACL Manager dialog box, in which you can configure
access control lists to use as network lists. For more information about how to create or edit a network
list, see the Adding ACLs and ACEs” section on page 21-2 in the general operations configuration
guide.
Extended ACL lists can contain both IPv4 and IPv6 addresses.
Step 8 The Intercept DHCP Configuration Message from Microsoft Clients reveals additional parameters
specific to DHCP Intercept. DHCP Intercept lets Microsoft XP clients use split-tunneling with the ASA.
Intercept—Specifies whether to allow the DHCP Intercept to occur. If you do not select, Inherit, the
default setting is No.
Subnet Mask—Selects the subnet mask to use.
Step 9 Click OK.
Configure Linux to Support Excluded Subnets
When Tunnel Network List Below is configured for split tunneling, Linux requires extra configuration
to support exclude subnets. You must create a custom attribute named circumvent-host-filtering, set it to
true, and associate with the group policy that is configured for split tunneling.
The following steps describe how to create the custom attribute.
Step 1 Connect to the ASDM, and select Configuration > Remote Access VPN > Network (Client) Access >
Advanced > AnyConnect Custom Attributes.
4-16
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Step 2 Click Add, create a custom attribute named circumvent-host-filtering, and set the value to true.
Step 3 Edit the group policy you plan to use for client firewall, and select Advanced > AnyConnect Client >
Custom Attributes.
Step 4 Add the custom attribute that you created, circumvent-host-filtering, to the group policy you will use
for split tunneling.
Configuring VPN Policy Attributes for a Local User
To configure VPN policy attributes for a user, perform the following steps:
Detailed Steps
Step 1 Start ASDM and choose Configuration > Remote Access VPN > AAA/Local Users > Local Users.
Step 2 Select the user you want to configure and click Edit.
The Edit User Account dialog box appears.
Step 3 In the left-hand pane, click VPN Policy.
Step 4 Specify a group policy for the user. The user policy will inherit the attributes of this group policy. If there
are other fields that are set to inherit the configuration from the Default Group Policy, the attributes
specified in this group policy will take precedence over those set in the Default Group Policy.
Step 5 Specify which tunneling protocols are available for the user, or whether the value is inherited from the
group policy. Check the desired Tunneling Protocols check boxes to choose the VPN tunneling
protocols that you want to make available for use. The choices are as follows:
Clientless SSL VPN (VPN via SSL/TLS) uses a web browser to establish a secure remote-access
tunnel to a VPN concentrator; this option requires neither a software nor hardware client. Clientless
SSL VPN can provide easy access to a broad range of enterprise resources, including corporate
websites, web-enabled applications, web-enabled NT/AD file shares, e-mail, and other TCP-based
applications from almost any computer that can reach secure Internet sites through HTTPS.
The SSL VPN Client lets you connect after downloading the Cisco AnyConnect Client application.
You use a clientless SSL VPN connection to download this application the first time. Client updates
then occur automatically as needed whenever you connect.
IPsec IKEv1—IP Security Protocol. Regarded as the most secure protocol, IPsec provides the most
complete architecture for VPN tunnels. Both site-to-site (peer-to-peer) connections and Cisco VPN
client-to-LAN connections can use IPsec IKEv1.
IPsec IKEv2—Supported by the AnyConnect Secure Mobility Client. AnyConnect connections
using IPsec with IKEv2 provide advanced features such as software updates, client profiles, GUI
localization (translation) and customization, Cisco Secure Desktop, and SCEP proxy.
L2TP over IPsec allows remote users with VPN clients provided with several common PC and
mobile PC operating systems to establish secure connections over the public IP network to the ASA
and private corporate networks.
Note If no protocol is selected, an error message appears.
4-17
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Step 6 Specify which filter (IPv4 or IPv6) to use, or whether to inherit the value from the group policy. Filters
consist of rules that determine whether to allow or reject tunneled data packets coming through the ASA,
based on criteria such as source address, destination address, and protocol. To configure filters and rules,
choose Configuration > Remote Access VPN > Network (Client) Access > Group Policies >
Add/Edit > General > More Options > Filter.
Click Manage to display the ACL Manager pane, on which you can add, edit, and delete ACLs and
ACEs.
Step 7 Specify whether to inherit the Connection Profile (tunnel group) lock or to use the selected tunnel group
lock, if any. Selecting a specific lock restricts users to remote access through this group only. Tunnel
group lock restricts users by checking to see if the group configured in the VPN client is the same as the
users assigned group. If it is not, the ASA prevents the user from connecting. If the Inherit check box is
not checked, the default value is None.
Step 8 Specify whether to inherit the Store Password on Client System setting from the group. Uncheck the
Inherit check box to activate the Yes and No radio buttons. Click Ye s to store the login password on the
client system (potentially a less-secure option). Click No (the default) to require the user to enter the
password with each connection. For maximum security, we recommend that you not allow password
storage.
Step 9 Specify an Access Hours policy to apply to this user, create a new access hours policy for the user, or
leave the Inherit box checked. The default value is Inherit, or, if the Inherit check box is not checked,
the default value is Unrestricted.
Click Manage to open the Add Time Range dialog box, in which you can specify a new set of access
hours.
Step 10 Specify the number of simultaneous logins by the user. The simultaneous logins setting specifies the
maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum
value is 0, which disables login and prevents user access.
Note While there is no maximum limit, allowing several simultaneous connections could compromise
security and affect performance.
Step 11 Specify the maximum connection time for the user connection time in minutes. At the end of this time,
the system terminates the connection. The minimum is 1 minute, and the maximum is 2147483647
minutes (over 4000 years). To allow unlimited connection time, check the Unlimited check box (the
default).
Step 12 Specify the idle timeout for the user in minutes. If there is no communication activity on the connection
by this user in this period, the system terminates the connection. The minimum time is 1 minute, and the
maximum time is 10080 minutes. This value does not apply to users of clientless SSL VPN connections.
Step 13 Configure the session alert interval. If you uncheck the Inherit check box, the Default check box is
checked automatically and the session alert interval is set to 30 minutes. If you want to specify a new
value, uncheck the Default check box and specify a session alert interval from 1 to 30 minutes in the
minutes box.
Step 14 Configure the idle alert interval. If you uncheck the Inherit check box, the Default check box is checked
automatically. This sets the idle alert interval to 30 minutes. If you want to specify a new value, uncheck
the Default check box and specify a session alert interval from 1 to 30 minutes in the minutes box.
Step 15 To set a dedicated IPv4 address for this user, enter an IPv4 address and subnet mask in the Dedicated
IPv4 Address (Optional) area.
Step 16 To set a dedicated IPv6 address for this user, enter an IPv6 address with an IPv6 prefix in the Dedicated
IPv6 Address (Optional) field. The IPv6 prefix indicates the subnet on which the IPv6 address resides.
4-18
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
Step 17 Click OK.
The changes are saved to the running configuration.
Configuring a Browser Proxy for an Internal Group Policy
Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Add/Edit >
Advanced > Browser Proxy
This dialog box configures attributes for Microsoft Internet Explorer.
Fields
Proxy Server Policy—Configures the Microsoft Internet Explorer browser proxy actions
(“methods”) for a client PC.
Do not modify client proxy settings—Leaves the HTTP browser proxy server setting in Internet
Explorer unchanged for this client PC.
Do not use proxy—Disables the HTTP proxy setting in Internet Explorer for the client PC.
Select proxy server settings from the following—Enables the following check boxes for your
selections: Auto detect proxy, Use proxy server settings given below, and Use proxy auto
configuration (PAC) given below.
Auto detect proxy—Enables the use of automatic proxy server detection in Internet Explorer for
the client PC.
Use proxy server settings specified below—Sets the HTTP proxy server setting in Internet
Explorer to use the value configured in the Proxy Server Name or IP Address field.
Use proxy auto configuration (PAC) given below—Specifies the use of the file specified in the
Proxy Auto Configuration (PAC) field as the source for auto configuration attributes.
Proxy Server Settings—Configures the proxy server parameters for Microsoft clients using
Microsoft Internet Explorer.
Server Address and Port—Specifies the IP address or name and the port of an Microsoft Internet
Explorer server that is applied for this client PC.
Bypass Proxy Server for Local Addresses—Configures Microsoft Internet Explorer browser
proxy local-bypass settings for a client PC. Click Ye s to enable local bypass or No to disable
local bypass.
Exception List—Lists the server names and IP addresses that you want to exclude from proxy
server access. Enter the list of addresses that you do not want to have accessed through a proxy
server. This list corresponds to the Exceptions list in the Proxy Settings dialog box in Internet
Explorer.
Proxy Auto Configuration Settings—The PAC URL specifies the URL of the auto-configuration file.
This file tells the browser where to look for proxy information. To use the proxy auto-configuration
(PAC) feature, the remote user must use the Cisco AnyConnect VPN client.
Many network environments define HTTP proxies that connect a web browser to a particular
network resource. The HTTP traffic can reach the network resource only if the proxy is specified in
the browser and the client routes the HTTP traffic to the proxy. SSLVPN tunnels complicate the
definition of HTTP proxies because the proxy required when tunneled to an enterprise network can
differ from that required when connected to the Internet via a broadband connection or when on a
third-party network.
4-19
Cisco ASA Series VPN ASDM Configuration Guide
Chapter 4 General VPN Setup
Group Policies
In addition, companies with large networks might need to configure more than one proxy server and
let users choose between them, based on transient conditions. By using .pac files, an administrator
can author a single script file that determines which of numerous proxies to use for all client
computers throughout the enterprise.
The following are some examples of how you might use a PAC file:
Choosing a proxy at random from a list for load balancing.
Rotating proxies by time of day or day of the week to accommodate a server maintenance
schedule.
Specifying a backup proxy server to use in case the primary proxy fails.
Specifying the nearest proxy for roaming users, based on the local subnet.
You can use a text editor to create a proxy auto-configuration (.pac) file for your browser. A .pac file
is a JavaScript file that contains logic that specifies one or more proxy servers to be used, depending
on the contents of the URL. Use the PAC URL field to specify the URL from which to retrieve the
.pac file. Then the browser uses the .pac file to determine the proxy settings.
Configuring General AnyConnect Client Attributes for an Internal Group Policy
Clicking the AnyConnect Client icon in the group policy directory tree shows the list of configurable
attributes that follow. Configuring the ASA to distribute and manage AnyConnect client sessions is a
larger procedure than just setting these attribute fields in a group policy. See Configuring AnyConnect
VPN Client Connections, page 4-48, Configuring AnyConnect VPN Connections, page 4-57, and
Configuring AnyConnect Secure Mobility, page 4-69.
Fields
Keep Installer on Client System—Enable permanent client installation on the remote computer.
Enabling disables the automatic uninstalling feature of the client. The client remains installed on the
remote computer for subsequent connections, reducing the connection time for the remote user.
Note Keep Installer on Client System is not supported after version 2.5 of the AnyConnect client.
Datagram Transport Layer Security (DTLS)—Avoids latency and bandwidth problems associated
with some SSL connections and improves the performance of real-time applications that are
sensitive to packet delays.
Ignore Don’t Defrag (DF) Bit—This feature allows the force fragmentation of packets that have the
DF bit set, allowing them to pass through the tunnel. An example use case is for servers in your
network that do not respond correctly to TCP MSS negotiations.
Client Bypass Protocol—The Client Protocol Bypass feature allows you to configure how the ASA
manages IPv4 traffic when it is expecting only IPv6 traffic or how it manages IPv6 traffic when it is
expecting only IPv4 traffic.
When the AnyConnect client makes a VPN connection to the ASA, the ASA could assign it an IPv4,
IPv6, or both an IPv4 and IPv6 address. If the ASA assigns the AnyConnect connection only an IPv4
address or only an IPv6 address, you can now configure the Client Bypass Protocol to drop network
traffic for which the ASA did not assign an IP address, or allow that traffic to bypass the ASA and
be sent from the client unencrypted or “in the clear”.