Remote Access VPN Policy Reference

CH A P T E R
27
Remote Access VPN Policy Reference
The Remote Access VPN policy pages are used to configure remote access VPNs on Cisco IOS security
routers, PIX Firewalls, Catalyst 6500 /7600 devices, and Adaptive Security Appliance (ASA) devices.
This chapter contains the following topics:
•
Remote Access VPN Configuration Wizard, page 27-1
•
ASA Cluster Load Balance Page, page 27-17
•
Connection Profiles Page, page 27-18
•
Dynamic Access Page (ASA), page 27-33
•
Global Settings Page, page 27-60
•
Group Policies Page, page 27-66
•
Public Key Infrastructure Page, page 27-66
•
Certificate to Connection Profile Maps > Policies Page, page 27-67
•
Certificate to Connection Profile Maps > Rules Page, page 27-68
•
High Availability Page, page 27-71
•
IKE Proposal Page, page 27-73
•
IPsec Proposal Page, page 27-74
•
User Group Policy Page, page 27-84
•
SSL VPN Access Policy Page, page 27-85
•
SSL VPN Other Settings Page, page 27-88
•
SSL VPN Shared License (ASA 8.2) Page, page 27-103
•
SSL VPN Policy Page (IOS), page 27-105
Remote Access VPN Configuration Wizard
Use the Remote Access VPN Configuration wizard to configure your device with policies that enable it
to act as a remote access SSL or IPSec VPN server.
Navigation Path
(Device view only) Select the desired device, and then select Remote Access VPN > Configuration
Wizard from the Policy selector.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-1
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Related Topics
•
Using the Remote Access VPN Configuration Wizard, page 26-9
Field Reference
Table 27-1
Remote Access VPN Configuration Wizard
Element
Description
Remote Access SSL VPN
Click this radio button to choose SSL as the type of remote access VPN
to create. The wizard takes you through appropriate steps depending on
the type of device selected:
•
ASA device
a. Access Page (ASA), page 27-2
b. Connection Profile Page (ASA), page 27-3
•
IOS device
a. Gateway and Context Page (IOS), page 27-10
b. Portal Page Customization Page, page 27-11
Remote Access IPSec VPN
Click this radio button to choose IPSec as the type of remote access
VPN to create. The wizard takes you through appropriate steps
depending on the type of device selected:
•
ASA device
a. IPSec VPN Connection Profile Page (ASA), page 27-13
b. IPSec Settings Page (ASA), page 27-14
c. Defaults Page, page 27-16
•
IOS device
a. User Group Policy Page, page 27-84
b. Defaults Page, page 27-16
Remote Access
Click this button to start the configuration wizard.
Configuration Wizard button
Access Page (ASA)
Use the Access page of the SSL VPN Configuration Wizard to configure the security appliance
interfaces for SSL VPN sessions, select a port for SSL VPN connection profiles, and specify the URLs
that will be displayed on the Portal page to access the connection profiles.
Navigation Path
(Device View Only) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a
remote access SSL VPN on an ASA device. The Access page is the first page that appears.
Related Topics
•
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices),
page 26-12
•
Understanding Interface Role Objects, page 6-55
User Guide for Cisco Security Manager 4.0.1
27-2
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Field Reference
Table 27-2
SSL VPN Wizard—Access Page (ASA)
Element
Description
Interfaces to Enable SSL
VPN Service
Interfaces on which you want to enable the SSL VPN connection
profiles. Enter an interface or click Select to select an interface role
from a list.
Port Number
Port number to use for the SSL VPN sessions. Enter a port number or
click Select to select a port list object that defines the port.
The default port is 443, for HTTPS traffic. The port number can be
443, or within the range of 1024-65535. If you change the port
number, all current SSL VPN connections terminate, and current users
must reconnect.
Note
If HTTP port redirection is enabled, the default HTTP port
number is 80.
Portal Page URLs
URLs that will be displayed on the Portal page to access the SSL VPN
connection profile.
Allow Users to Select
Connection Profile in
Portal Page
When selected, enables the user to select a tunnel group at login from
a list of tunnel group connection profiles configured on the device. This
is the default setting.
Enable AnyConnect Access
When selected, enables the AnyConnect functionality on the
ASA device.
Note
To enable AnyConnect Essentials, go to Remote Access VPN >
SSL VPN > Access. For details, see Configuring an Access
Policy, page 26-45.
Connection Profile Page (ASA)
Use the Connection Profile page in the SSL VPN Configuration wizard to configure the tunnel group
policies on your security appliance. You can specify a name for the tunnel connection profile policy that
you are adding, select the user group policy, specify address pools for this policy, and specify
authentication server group settings.
Navigation Path
(Device view only) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a
remote access SSL VPN on an ASA device; then click Next until you reach this page.
Related Topics
•
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices),
page 26-12
•
ASA Group Policies Dialog Box, page 28-1
•
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
•
Understanding Network/Host Objects, page 6-62
•
Understanding AAA Server and Server Group Objects, page 6-20
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-3
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Field Reference
Table 27-3
Connection Profile Page (ASA)
Element
Description
Connection Profile Name
Name of the tunnel group that contains the policies for this SSL VPN
connection profile. Enter a descriptive name.
Group Policy
Default ASA user group associated with the device. Enter an ASA
user group policy or click Select to select one from a list or to create a
new one.
Full Tunnel
Read-only field that indicates whether full tunnel access mode is
configured for the user group.
Group Policies
Names of the ASA user group policies that will be used in your SSL
VPN connection profile and whether Full Tunnel access mode is
enabled or disabled for them.
Click Edit to select ASA user group policy objects from a list or to
create new objects.
Note
Portal Page Customization
Customization profile that defines the appearance of portal pages and
resources available to remote access users on the SSL VPN network.
Enter the name of a profile or click Select to select one from a list or to
create a new one.
Note
Connection URL
All SSL VPN connection profiles on an ASA device share one
group policy. Each time you create a connection profile using
the wizard, the Group Policies list may be populated with data
from the previous connection profile defined on the device.
You can set up different login windows for different groups by
using a combination of customization profiles and tunnel groups.
For example, assuming that you had created a customization
profile called salesgui, you can create an SSL VPN tunnel group
called sales that uses that customization profile.
URL of the connection profile. This URL provides users with direct
access to the customized portal page.
Select a protocol (http or https) from the list and specify the URL,
including host name or IP address of the ASA device and port number
and the alias used to identify the SSL VPN connection profile.
Note
Global IP Address Pool
If you do not specify a URL, you can access the portal page by
entering the portal page URL, and then selecting the connection
profile alias from a list of configured connection profile aliases
configured on the device. See Access Page (ASA), page 27-2.
Address pools from which IP addresses will be assigned. Enter the
name of an address pool or click Select to select a network/host object
that defines the pool.
The server uses these pools in the order listed. If all addresses in the
first pool have been assigned, it uses the next pool, and so on. You can
specify up to 6 pools.
Authentication Server Group Name of the authentication server group (LOCAL if the tunnel group is
configured on the local device). Enter the name or click Select to select
the server group object or to create a new object.
User Guide for Cisco Security Manager 4.0.1
27-4
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Table 27-3
Connection Profile Page (ASA) (Continued)
Element
Description
Use LOCAL if Server
Group Fails
Whether to fall back to the local database for authentication if the
selected authentication server group fails.
Authorization Server Group
Name of the authorization server group (LOCAL if the tunnel group is
configured on the local device). Enter the name or click Select to select
the server group object or to create a new object.
Accounting Server Group
Name of the accounting server group. Enter the name or click Select to
select the server group object or to create a new object.
User Groups Selector Page
Use this page to select the user group(s) that will be used in your SSL VPN connection.
Navigation Path
Depends on the type of device selected:
•
(IOS device) From the Gateway and Context Page (IOS), page 27-10, click Edit in the Group
Policies field.
•
(ASA device) From the Connection Profile Page (ASA), page 27-3, click Edit in the Group
Policies field.
Related Topics
•
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-10
•
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices),
page 26-12
Field Reference
Table 27-4
User Groups Selector Page
Element
Description
Available User Groups
Lists predefined user groups available for selection. Select the required
user groups and click >>.
If the required user group is not listed, click Create to create a user
group. See Create User Group Wizard, page 27-6.
To modify the properties of a user group, select it and click Edit.
Selected User Groups
Lists the selected user groups.
To remove user groups from this list, select them and click <<.
To modify the properties of a user group, select it and click Edit.
Note
To specify a user group as the default user group, select it
and click Set As Default. This option is only available for
IOS routers.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-5
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Create User Group Wizard
Use the Create User Group wizard to create a user group that will be configured on an IOS router or ASA
device in your SSL VPN connection.
Navigation Path
From the User Groups Selector Page, page 27-5, click Create or select an item from one of the lists and
click Edit.
This section contains the following topics:
•
Name and Access Method Page, page 27-6
•
Full Tunnel Dialog Box, page 27-7
•
Clientless and Thin Client Access Modes Page, page 27-8
Name and Access Method Page
Use this step of the Create User Group wizard to define a name for your user group, and optionally, select
the remote access method(s) that will be used to access the SSL-enabled gateway (IOS router) or ASA
security appliance.
Navigation Path
In the User Groups Selector Page, page 27-5, click Create.
Related Topics
•
Create User Group Wizard, page 27-6
•
SSL VPN Access Modes, page 26-4
•
Full Tunnel Dialog Box, page 27-7
•
Clientless and Thin Client Access Modes Page, page 27-8
Field Reference
Table 27-5
Create User Group Wizard—Name and Access Method Page
Element
Description
Name
Name of the user group. Enter up to 128 characters, including
uppercase and lowercase characters and most alphanumeric or
symbol characters.
Access Method
Select the required remote access mode option(s), as follows:
•
Full Tunnel—To access to the corporate network completely over
an SSL VPN tunnel. This is the recommended option.
•
Clientless—To access the internal or corporate network using a
web browser on the client machine.
•
Thin Client—To download a Java applet that acts as a TCP proxy
on the client machine.
User Guide for Cisco Security Manager 4.0.1
27-6
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Full Tunnel Dialog Box
Note
This dialog box is only available if you selected the Full Client option in the Name and Access Method
Page, page 27-6 of the Create User Group wizard.
In this dialog box, you can configure the mode used to access the corporate network.
Navigation Path
Open the Create User Group Wizard, page 27-6, select the Full Client access method option, and then
click Next.
Related Topics
•
Create User Group Wizard, page 27-6
•
SSL VPN Access Modes, page 26-4
Field Reference
Table 27-6
Create User Group Wizard—Full Tunnel Dialog Box
Element
Description
Use Other Access Modes
if SSL VPN Client
Download Fails
When selected, enables the remote client to use clientless or thin client
access modes if the SVC download fails.
Full Tunnel
When selected, enables the Full Tunnel access mode to be configured.
Client IP Address Pools
Note
For the Full Tunnel access mode to work properly, the SSL
VPN Client (SVC) software must be installed on the device.
The SVC is managed using a FlexConfig policy. For more
information, see Predefined FlexConfig Policy Objects,
page 7-17.
Note
Available only if the selected device is an IOS router.
IP address pools that clients draw from when they log on. Enter the IP
address pools or click Select select the network/host object from a list
or to create a new object.
Primary DNS Server
IP address of the primary DNS server to be used for Full Client SSL
VPN connections. Enter the IP address or click Select to select a
network/host object from a list or to create a new object.
Secondary DNS Server
IP address of a secondary DNS server to be used for Full Client SSL
VPN connections. Enter the IP address or click Select to select a
network/host object from a list or to create a new object.
Default DNS Domain
Domain name of the DNS server to be used for Full Client SSL
VPN connections.
Primary WINS Server
IP address of the primary WINS server to be used for Full Client SSL
VPN connections. Enter the IP address or click Select to select a
network/host object from a list or to create a new object.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-7
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Table 27-6
Create User Group Wizard—Full Tunnel Dialog Box (Continued)
Element
Description
Secondary WINS Server
IP address of a secondary WINS server to be used for Full Client SSL
VPN connections. Enter the IP address or click Select to select a
network/host object from a list or to create a new object.
Split Tunnel Option
Specifies the traffic that will be transmitted secured or unsecured across
the public network:
Destinations
•
Disabled—Split tunneling is disabled and no traffic will
be secured.
•
Exclude Specified Networks—Split tunneling is enabled, and
traffic to or from networks specified in the Networks field is
transmitted unsecured.
•
Tunnel Specified Networks—Split tunneling is enabled, and
traffic to or from networks specified in the Networks field is
transmitted secured.
Available if the selected device is an IOS router and split tunneling
is enabled.
The specified networks to which traffic is transmitted secured or
unencrypted, depending on the selected Split Tunneling option.
Multiple entries are separated by commas. You can enter host IP
addresses, network addresses (for example, 10.100.10.0/24 or
10.100.10.0/255.255.255.0), or the names of network/host objects.
You can click Select to select network/host objects or to create
new objects.
Networks
Note
Available if the selected device is an ASA security appliance
and split tunneling is enabled.
Name of the ACL object that defines network access.
Exclude Local LANs
Note
Available if the selected device is an IOS router and split
tunneling is enabled.
When selected, disallows a non split-tunneling connection to access the
local subnetwork at the same time as the client.
Split DNS Names
List of domain names that must be tunneled or resolved to the private
network. All other names will be resolved using the public DNS server.
Clientless and Thin Client Access Modes Page
In the Clientless and Thin Client page of the Create User group wizard, you can configure the Clientless
and Thin Client modes to be used for accessing the corporate network in your SSL VPN.
Note
This page is only available if you selected the Clientless or Thin Client options in step 1 of the Create
User Group wizard (Name and Access Method Page, page 27-6).
User Guide for Cisco Security Manager 4.0.1
27-8
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Navigation Path
Open the Create User Group Wizard, page 27-6, select the Clientless or Thin Client access method
options, and then click Next.
Related Topics
•
Create User Group Wizard, page 27-6
•
SSL VPN Access Modes, page 26-4
•
Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 26-68
•
Add or Edit Port Forwarding List Dialog Boxes, page 28-42
Field Reference
Table 27-7
Create User Group Wizard—Clientless and Thin Client Page
Element
Description
Clientless—Appears only if you selected Clientless in step 1 of the wizard.
Portal Page Websites
List of websites that are displayed on the portal page as a bookmark to
enable users to access the resources available on the SSL VPN websites.
You can click Select to open the URL List Selector from which you can
select the required URL List from a list of URL List objects.
Allow Users to
Enter Websites
When selected, enables remote users to input the website URLs directly.
Thin Client—Appears only if you selected Thin Client in step 1 of the wizard.
Port Forwarding List
Port Forwarding List that defines the mapping of the port number on the
client machine to the application’s IP address and port behind the SSL
VPN gateway.
You can click Select to open the Port Forwarding List Selector from
which you can select the required Port Forwarding List from a list of
Port Forwarding List objects.
Port Forwarding
Applet Name
Available only if the selected device is an ASA security appliance.
Java applet that will be used as a TCP proxy on the client machine. The
Java applet starts a new SSL connection for every client connection.
The Java applet initiates an HTTP request from the remote user client
to the ASA device. The name and port number of the internal email
server is included in the HTTP request. A TCP connection is created to
that internal email server and port.
Download Port Forwarding
Applet on Client Login
When selected, enables a port-forwarding Java applet to be
automatically downloaded when the remote client logs in.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-9
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Gateway and Context Page (IOS)
A gateway and context must be configured on a device before a remote user can access resources on a
private network behind the SSL VPN. Use this step of the SSL VPN Configuration wizard to specify a
gateway and context configuration, including information that will allow users to access a portal page.
Navigation Path
(Device view) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access SSL VPN on an IOS device. The Gateway and Context page is the first page that appears.
Related Topics
•
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-10
•
Add or Edit SSL VPN Gateway Dialog Box, page 28-63
•
Understanding AAA Server and Server Group Objects, page 6-20
Field Reference
Table 27-8
Gateway and Context Page
Element
Description
Gateway
Gateway to be used as a proxy for connections to the protected resources in
your SSL VPN.
Options are:
Gateway Name
Port
•
Use Existing Gateway—When selected, enables you to use an existing
gateway for your SSL VPN.
•
Create Using IP Address—When selected, enables you to configure a
new gateway using a reachable (public static) IP address on the router.
•
Create Using Interface—When selected, enables you to configure a
new gateway using the public static IP address of the router interface.
Name of the SSL VPN gateway policy object. Enter the name of the gateway
object or click Select to select it from a list or to create a new object.
Note
After selecting the gateway, the port number and digital certificate
required to establish a secure connection are displayed in the
relevant fields.
Note
Available only if you selected to create a gateway using the router’s
IP address or interface.
Number of the port that will carry the HTTPS traffic (between 1024 and
65535). The default is 443, unless HTTP port redirection is enabled, in
which case the default HTTP port number is 80.
Specify the port number or click Select to select a port list object from a list
or to create a new object.
User Guide for Cisco Security Manager 4.0.1
27-10
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Table 27-8
Gateway and Context Page (Continued)
Element
Description
Trustpoint
Note
Available only if you selected to create a new gateway using the
router’s IP address or interface.
Digital certificate required to establish a secure connection. If you need to
configure a specific CA certificate, a self-signed certificate is generated
when an SSL VPN gateway is activated. All gateways on the router can use
the same certificate.
Context Name
Name of the context that identifies the resources needed to support the SSL
VPN tunnel between the remote clients and the corporate or private intranet.
Tip
To simplify management of multiple context configurations, it is
recommended that you use the domain or virtual hostname for the
context name.
Portal Page URL
URL that is displayed on the Portal page to access the SSL VPN gateway.
Group Policies
Names of the group policies used in your SSL VPN connection, and whether
Full Tunnel access mode is enabled or disabled for them.
Enter a group policy name or click Edit to open the User Groups Selector
Page, page 27-5.
Authentication
Server Group
Name of the authentication server group (LOCAL if the users are defined on
the local device).
Enter an authentication server group name or click Select to select a server
group object from a list or to create a new object.
Authentication Domain Specifies a list or method for SSL VPN remote user authentication.
Note
Accounting
Server Group
If you do not specify a list or method, the SSL VPN gateway uses
global AAA parameters for remote-user authentication.
Name of the accounting server group.
Enter an accounting server group name or click Select to select a server
group object from a list or to create a new object.
Portal Page Customization Page
Use this step of the SSL VPN Configuration wizard to define the appearance of the portal page that
remote users see when connecting to the SSL VPN. The portal page allows remote users access to all
websites available on the SSL VPN networks.
Navigation Path
(Device view) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access SSL VPN on an IOS device; then click Next until you reach this page.
Related Topics
•
Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-10
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-11
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Field Reference
Table 27-9
Portal Page Customization Page
Element
Description
Title
Title that is displayed in the title bar of the portal page.
The default title is “SSL VPN Service.”
Logo
Logo to be displayed on the title bar of the SSL VPN login and
portal page.
Options are:
•
None—No logo is displayed.
•
Default—To use the default logo.
•
Custom—When selected, enables you to specify your own logo.
Specify the source image file for the logo in the Logo File field, or
click Select to select an image file.
The source image file for the logo can be a gif, jpg, or png file, with a
filename of up to 255 characters, and up to 100 kilobytes in size.
Login Message
Message that will be displayed to the user upon login.
Primary Title Color
Color of the title bars on the login and portal pages of the SSL VPN.
Click Select to open a dialog box in which you can choose the required
color for the title bars.
Secondary Title Color
Color of the secondary title bars on the login and portal pages of the
SSL VPN.
Click Select to open a dialog box in which you can choose the required
color for the secondary title bars.
Primary Text Color
Color of the text on the title bars of the login and portal pages.
Options are white or black (the default).
Note
Secondary Text Color
The color of the text must be aligned with the color of the text
on the title bar.
Color of the text on the secondary title bars of the login and portal pages.
Options are white or black (the default).
Note
Preview
The color of the text must be aligned with the color of the text
on the secondary title bar.
A preview of how the portal page will appear.
User Guide for Cisco Security Manager 4.0.1
27-12
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
IPSec VPN Connection Profile Page (ASA)
Use the Connection Profile page to configure the connection profile policies on your security appliance.
You can specify a name for the connection profile policy that you are adding, select the user group policy,
specify address pools for this policy, and specify authentication, authorization, and accounting server
group settings.
Navigation Path
(Device view) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access IPsec VPN on an ASA device. The IPSec Connection Profile page is the first page that appears.
Related Topics
•
Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices),
page 26-14
Field Reference
Table 27-10
IPSec Connection Profile Page (ASA)
Element
Description
Connection Profile Name
Name of the connection profile that contains the policies for this IPSec
VPN connection profile.
Group Policy
Default group policy associated with the device. Enter a name or click
Select to select the object from a list or to create a new object.
Global IP Address Pool
Address pools from which IP addresses are assigned. The server uses
these address pools in the order listed. If all addresses in the first pool
have been assigned, it uses the next pool, and so on. You can specify up
to 6 pools.
Enter the name of a network/host object or click Select to select the
object from a list or to create a new object.
Authentication Server Group Name of the authentication server group (LOCAL if the tunnel group is
configured on the local device). Enter a name or click Select to select
the server group from a list or to create a new object.
Use LOCAL if Server
Group Fails
Whether to fall back to the local database for authentication if the
selected authentication server group fails.
Authorization Server Group
Name of the authorization server group (LOCAL if the tunnel group is
configured on the local device). Enter a name or click Select to select
the server group from a list or to create a new object.
Accounting Server Group
Name of the accounting server group. Enter a name or click Select to
select the server group from a list or to create a new object.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-13
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
IPSec Settings Page (ASA)
Use the IPSec Settings page of the IPSec VPN Configuration Wizard to configure IPSec settings on your
security appliance.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access IPsec VPN on an ASA device; then click Next until you reach this page.
Related Topics
•
Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices),
page 26-14
Field Reference
Table 27-11
IPSec VPN Wizard—IPSec Settings (ASA)
Element
Description
Preshared Key
The value of the preshared key for the tunnel group. The maximum
length of a preshared key is 127 characters.
Note
You must retype this value in the Confirm field.
Trustpoint Name
The trustpoint name if any trustpoints are configured. A trustpoint
represents a CA/identity pair and contains the identity of the CA,
CA-specific configuration parameters, and an association with one
enrolled identity certificate.
IKE Peer ID Validation
Select whether IKE peer ID validation is ignored, required, or checked
only if supported by a certificate. During IKE negotiations, peers must
identify themselves to one another.
Enable Sending
Certificate Chain
When selected, enables the sending of the certificate chain for
authorization. A certificate chain includes the root CA certificate,
identity certificate, and key pair.
Enable Password Update with When selected, enables passwords to be updated with the RADIUS
RADIUS Authentication
authentication protocol.
For more information, see Supported AAA Server Types, page 6-21.
ISAKMP Keepalive
Monitor Keepalive
When selected, enables you to configure IKE keepalive as the default
failover and routing mechanism.
For more information, see Understanding ISAKMP/IPsec Settings,
page 22-13.
Confidence Interval
The number of seconds that a device waits between sending IKE
keepalive packets.
Retry Interval
The number of seconds a device waits between attempts to establish an
IKE connection with the remote peer. The default is 2 seconds.
Client Software Update
All Windows Platforms
When selected, enables you to configure the specific revision level and
image URL of the VPN client on all Windows platforms.
User Guide for Cisco Security Manager 4.0.1
27-14
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Table 27-11
IPSec VPN Wizard—IPSec Settings (ASA) (Continued)
Element
Description
Windows 95/98/ME
When selected, enables you to configure the specific revision level and
image URL of the VPN client on Windows 95/98/ME platforms.
Windows NT4.0/2000/XP
When selected, enables you to configure the specific revision level and
image URL of the VPN client on NT4.0/2000/XP platforms.
VPN3002 Hardware Client
When selected, enables you to configure the specific revision level and
image URL of the VPN3002 hardware client.
User Group Policy Page (IOS)
Use the User Group Policy page to specify user groups for your remote access IPSec VPN server.You
can configure user groups on a Cisco IOS router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access IPSec VPN on an IOS device; then click Next until you reach this page.
Related Topics
•
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-11
Field Reference
Table 27-12
User Group Policy Page
Element
Description
Available User Groups
Lists the predefined user groups available for selection.
Select the required user groups and click >>.
In Security Manager, user groups are objects. If the required user group
is not in the list, click Create to open the User Groups Editor dialog
box, which enables you to create or edit a user group object. See Add
or Edit User Group Dialog Box, page 28-68.
Selected User Groups
Displays the selected user groups.
To remove a user group from this list, select it and click <<.
To modify the properties of a user group, select it and click Edit.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-15
Chapter 27
Remote Access VPN Policy Reference
Remote Access VPN Configuration Wizard
Defaults Page
Use the VPN Defaults page of the Remote Access IPSec Configuration Wizard to view and select the
default site-to-site VPN policies that will be assigned to the VPN topology you are creating. For each
policy type, you can assign either the factory default policy (a private policy) or a shared policy. When
you click Finish, the selected policies are assigned to your device.
The drop-down lists for each policy type list the existing shared policies that you can select. You can select
a policy and click the View Content button to see the definition of that policy. In some cases, you are
allowed to make changes, but you cannot save them. The policy types listed differ based on device type.
Note
If you try to select a default policy that is currently locked by another user, a message is displayed
warning you of a lock problem. To bypass the lock, select a different policy or cancel the VPN topology
creation until the lock is removed. For more information, see Understanding Policy Locking, page 5-7.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizard, page 27-1for configuring a remote
access IPSec VPN and click Next until you reach this page.
Related Topics
•
Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices),
page 26-14
•
Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 26-11
Field Reference
Table 27-13
Defaults Page
Element
Description
ASA Cluster Load Balance
Defines load balancing for an ASA device in your remote access VPN.
High Availability
Defines a High Availability (HA) policy on a Cisco IOS router in a
remote access VPN.
Certificate to Connection
Profile Map Policy
Defines the connection profile for your remote access VPN.
IKE Proposal
Defines the set of algorithms that two peers use to secure the IKE
negotiation between them.
IPSec Proposal
Defines the crypto maps required to set up IPsec security associations
(SAs), including IPsec rules, transform sets, remote peers, and other
parameters that might be necessary to define an IPsec SA.
Public Key Infrastructure
Defines the Public Key Infrastructure (PKI) policy used to generate PKI
enrollment requests for PKI certificates and RSA keys.
VPN Global Settings
Defines global settings for IKE, IPsec, NAT, and fragmentation that
apply to devices in your remote access VPN.
User Guide for Cisco Security Manager 4.0.1
27-16
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
ASA Cluster Load Balance Page
ASA Cluster Load Balance Page
Use the ASA Cluster Load Balance page to enable load balancing for an ASA device in your remote
access VPN.
Note
Load balancing requires an active 3DES/AES license. The ASA device checks for the existence of this
crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the
device prevents load balancing, and also prevents internal configuration of 3DES by the load balancing
system.
Navigation Path
•
(Device View) Select an ASA device; then select Remote Access VPN > ASA Cluster Load
Balance from the Policy selector.
•
(Policy View) Select Remote Access VPN > ASA Cluster Load Balance from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
•
Understanding Cluster Load Balancing (ASA), page 26-16
•
Configuring Cluster Load Balance Policies (ASA), page 26-17
•
Creating Interface Role Objects, page 6-56
Field Reference
Table 27-14
ASA Cluster Load Balance Page
Element
Description
VPN Load Balancing
Participate in Load
Balancing Cluster
Select to specify that the device belongs to the load-balancing cluster.
VPN Cluster Configuration
Cluster IP Address
The single IP address that represents the entire virtual cluster. The IP
address should be in the same subnet as the external interface.
UDP Port
The UDP port for the virtual cluster in which the device is participating.
If another application is using this port, enter the UDP destination port
number that you want to use for load balancing.
The default is 9023.
Enable IPsec Encryption
Select this check box to ensure that all load-balancing information
communicated between the devices is encrypted.
When the check box is selected, you must also specify and verify a
shared secret. The security appliances in the virtual cluster
communicate via LAN-to-LAN tunnels using IPsec.
IPsec Shared Secret
The shared secret to be communicated between IPsec peers if you
enabled IPsec encryption. This can be a case-sensitive value between 4
and 16 characters, without spaces.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-17
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Table 27-14
ASA Cluster Load Balance Page (Continued)
Element
Description
Priority
Accept default device value
When selected (the default), accepts the default priority value assigned
to the device.
Configure same priority on
all devices in the cluster
When selected, enables you to configure the same priority value to all
the devices in the cluster. The priority indicates the likelihood of this
device becoming the virtual cluster master, either at startup or when the
existing master fails.
Enter a value between 1 and 10.
VPN Server Configuration
Public interfaces
The public interfaces to be used on the server.
Interfaces are predefined objects. You can click Select to open a dialog
box that lists all available interfaces, and sets of interfaces defined by
interface roles, in which you can make your selection, or create
interface role objects.
Private Interfaces
The private interfaces to be used on the server.
Interfaces are predefined objects. You can click Select to open a dialog
box that lists all available interfaces, and sets of interfaces defined by
interface roles, in which you can make your selection, or create
interface role objects.
Send FQDN to client
instead of an IP address
when redirecting
When selected, enables redirection using a FQDN on an ASA device
configured with load balancing. For more information, see
Understanding Cluster Load Balancing (ASA), page 26-16.
This check box is available only for ASA devices running 8.0.2 or later.
Connection Profiles Page
Use the Connection Profiles page to manage connection profile policies for remote access VPN or Easy
VPN topologies. Use of this policy differs depending on the type of VPN you are configuring:
•
Remote access SSL VPN—The policy is used only for ASA devices. You can create multiple
profiles, and configure settings on all tabs of the Connection Profiles dialog box.
•
Remote access IPSec VPN—The policy is used for ASA devices and PIX Firewalls running PIX 7.0+
software. You can create multiple profiles, but only the General, AAA, and IPSec tabs on the
Connection Profiles dialog box apply to this configuration (in some cases, you will see only
these tabs).
•
Easy VPN topologies—The policy is used for Easy VPN servers (hubs) that are ASA devices or PIX
Firewalls running PIX 7.0+ software. You can create a single profile, so the policy page actually
imbeds the Connection Profiles dialog box, so that you have direct access to the tabs that define the
profile. Only the General, AAA, and IPSec tabs apply.
For remote access IPSec and SSL VPNs:
•
To add a profile, click the Add Row button and fill in the Connection Profiles dialog box.
•
To edit an existing profile, select it and click the Edit Row button.
•
To delete a profile, select it and click the Delete Row button.
User Guide for Cisco Security Manager 4.0.1
27-18
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
The connection profile consists of the following tabs. Configure them as appropriate for the type of VPN
you are configuring.
•
General Tab (Connection Profiles), page 27-19
•
AAA Tab (Connection Profiles), page 27-21
•
Secondary AAA Tab (Connection Profiles), page 27-25 (SSL VPN only)
•
IPSec Tab (Connection Profiles), page 27-27
•
SSL Tab (Connection Profiles), page 27-29 (SSL VPN only)
Navigation Path
Remote access VPNs:
•
(Device View) Select a ASA or PIX 7+ device and select Remote Access VPN > Connection
Profiles from the Policy selector.
•
(Policy View) Select Remote Access VPN > Connection Profiles (ASA) from the Policy Type
selector. Select an existing policy or create a new one.
Easy VPN:
•
From the Site-to-Site VPN Manager Window, page 21-17, select the Easy VPN topology and then
select Connection Profiles (PIX7.0/ASA).
•
(Device view) Select a device that participates in the Easy VPN topology and select Site to Site VPN
from the Policy selector. Select the Easy VPN topology and click Edit VPN Policies to open the
Site-to-Site VPN Manager Window, page 21-17, where you can select the policy.
•
(Policy view) Select Site-to-Site VPN > Connection Profiles (PIX7.0/ASA). Select an existing
policy or create a new one.
This section contains the following topics:
•
General Tab (Connection Profiles), page 27-19
•
AAA Tab (Connection Profiles), page 27-21
•
Secondary AAA Tab (Connection Profiles), page 27-25
•
IPSec Tab (Connection Profiles), page 27-27
•
SSL Tab (Connection Profiles), page 27-29
General Tab (Connection Profiles)
Use the General tab of the Connection Profiles dialog box to configure the basic properties for a VPN
Connection Profile policy.
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add button or select an entry and click the Edit
button. For Easy VPN topologies, simply select the policy. Click the General tab if necessary.
Related Topics
•
Configuring Connection Profiles (ASA), page 26-18
•
ASA Group Policies Dialog Box, page 28-1
•
Understanding Network/Host Objects, page 6-62
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-19
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
•
Configuring a Connection Profile Policy for Easy VPN, page 24-11
•
Understanding Easy VPN, page 24-1
Field Reference
Table 27-15
Connection Profile General Tab
Element
Description
Connection Profile Name
The name of the tunnel group that contains the policies for this
connection profile.
Group Policy
If required, the name of the ASA group policy object that defines the
default user group associated with the connection profile. A group
policy is a collection of user-oriented attribute/value pairs stored either
internally on the device or externally on a RADIUS/LDAP server.
Click Select to select an existing object or to create a new one.
Client Address Assignment
DHCP Servers
The DHCP servers to be used for client address assignments. The
servers are used in the order listed.
Enter the IP addresses of the DHCP servers or the names of
network/host policy objects that define the DHCP server addresses.
Click Select to select existing network/host objects or to create new
ones. Separate multiple entries with commas.
Global IP Address Pool
The address pools from which IP addresses will be assigned to clients
if no pool is specified for the interface to which the client connects.
Address pools are typically entered as a range of addresses, such as
10.100.12.2-10.100.12.254. The server uses these pools in the order
listed. If all addresses in the first pool have been assigned, it uses the
next pool, and so on. You can specify up to 6 pools.
Enter the address pool ranges or the names of network/host objects that
define these pools. Click Select to select existing network/host objects
or to create new ones. Separate multiple entries with commas. Separate
multiple entries with commas.
Interface-Specific Address
Pools table
If you want to configure separate IP address pools for specific
interfaces, so that clients connecting through that interface use a pool
different from the global pool, add the interface to this table and
configure the separate pool. Any interface not listed here uses the
global pool.
•
To add an interface-specific address pool, click the Add Row
button and fill in the Add/Edit Interface Specific Client Address
Pools Dialog Box, page 27-21
•
To edit an interface pool, select it and click the Edit Row button.
•
To delete an interface, select it and click the Delete Row button.
User Guide for Cisco Security Manager 4.0.1
27-20
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Add/Edit Interface Specific Client Address Pools Dialog Box
Use the Add/Edit Interface Specific Client Address Pools dialog box to configure interface-specific
client address pools for your connection profile policy.
Navigation Path
Open the General Tab (Connection Profiles), page 27-19, then click Add Row below the
Interface-Specific Address Pools table, or select a row in the table and click Edit Row.
Related Topics
•
Creating Interface Role Objects, page 6-56
•
Creating Network/Host Objects, page 6-64
Field Reference
Table 27-16
Add/Edit Interface Specific Client Address Pools Dialog Box
Element
Description
Interface
The interface to assign a client address to.
You can click Select to open a dialog box that lists all available interfaces
and interface roles, from which you can make your selection or create
interface role objects.
Address Pool
The address pool to be used to assign a client address to the selected interface.
Address pools are predefined network objects. You can click Select to open
a dialog box that lists all available network hosts, and in which you can
create or edit network host objects.
AAA Tab (Connection Profiles)
Use the AAA tab of the Connection Profile dialog box to configure the AAA authentication parameters
for a connection profile policy.
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add button or select an entry and click the Edit
button; then select the AAA tab. For Easy VPN topologies, simply click the AAA tab.
Related Topics
•
Configuring Connection Profiles (ASA), page 26-18
•
Understanding AAA Server and Server Group Objects, page 6-20
•
Configuring a Connection Profile Policy for Easy VPN, page 24-11
•
Understanding Easy VPN, page 24-1
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-21
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Field Reference
Table 27-17
Connection Profile AAA Tab
Element
Description
Authentication Method
Whether to authenticate connections using AAA, certificates, or both.
If you select Certificate, many of the options on the dialog box are
greyed out and do not apply.
Authentication Server Group The name of the authentication server group (LOCAL if the tunnel
group is configured on the local device). Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
If you want to use different authentication server groups based on the
interface to which the client connects, configure the server groups in
the Interface-Specific Authentication Server Groups table at the bottom
of this tab (described below).
Use LOCAL if Server
Group Fails
Whether to fall back to the local database for authentication if the
selected authentication server group fails.
Authorization Server Group
The name of the authorization server group (LOCAL if the tunnel
group is configured on the local device). Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
Users must exist in the
authorization database
to connect
Whether to require that the username of the client must exist in the
authorization database to allow a successful connection. If the
username does not exist in the authorization database, then the
connection is denied.
Accounting Server Group
Name of the accounting server group. Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
Strip Realm from Username
Whether to remove the realm or group name from the username before
passing the username on to the AAA server. A realm is an
administrative domain. Enabling these options allows the
authentication to be based on the username alone.
Strip Group from Username
You can enable any combination of these options. However, you must
select both check boxes if your server cannot parse delimiters.
User Guide for Cisco Security Manager 4.0.1
27-22
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Table 27-17
Connection Profile AAA Tab (Continued)
Element
Description
Override Account-Disabled Whether to override the “account-disabled” indicator from a AAA
Indication from AAA Server server. This configuration is valid for servers, such as RADIUS with
NT LDAP, and Kerberos, that return an “account-disabled” indication.
If you are using an LDAP directory server for authentication, password
management is supported with the Sun Microsystems JAVA System
Directory Server (formerly named the Sun ONE Directory Server) and
the Microsoft Active Directory.
Enable Notification
Upon Password Expiration
to Allow User to
Change Password
Enable Notification Prior
to Expiration
Notify Prior to Expiration
Distinguished Name (DN)
Authorization Setting
•
Sun—The DN configured on the security appliance to access a Sun
directory server must be able to access the default password policy
on that server. We recommend using the directory administrator, or
a user with directory administrator privileges, as the DN.
Alternatively, you can place an ACI on the default password policy.
•
Microsoft—You must configure LDAP over SSL to enable
password management with Microsoft Active Directory.
Whether to have the security appliance notify the remote user at login
that the current password is about to expire or has expired, and to then
offer the user the opportunity to change the password.
If you want to give the user prior warning of an impending password
expiration, select Enable Notification Prior to Expiration and specify
the number of days prior to expiration that you want to start notifications
(1 to 180 days). You can use this option with AAA servers that support
such notification—RADIUS, RADIUS with an NT server, and LDAP
servers. There is no prior notification for other types of servers.
How you want to use the distinguished name for authorization. A
distinguished name (DN) is a unique identification, made up of
individual fields, that can be used as the identifier when matching users
to a tunnel group. DN rules are used for enhanced certificate
authentication. Select from the following options to determine how the
DN is used during authorization:
•
Use Entire DN as the Username—Use the entire DN; do not focus
on any one field.
•
Specify Individual DN fields as the Username—Focus on
specific fields. Select a primary field, and optionally, a secondary
field. The default is to use only the user identification (UID) field.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-23
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Table 27-17
Connection Profile AAA Tab (Continued)
Element
Description
Interface-Specific
Authentication Server
Groups table
If you want to configure separate authentication server groups for
specific interfaces, so that clients connecting through that interface use
a server group different from the global group, add the interface to this
table and configure the separate group. Any interface not listed here
uses the global authentication server group. The table shows the server
group and whether you are falling back to local authentication if the
server group is not available.
•
To add an interface-specific authentication group to the list, click
the Add Row button and fill in the Add/Edit Interface Specific
Authentication Server Groups Dialog Box, page 27-24.
•
To edit an interface setting, select it and click the Edit Row button.
•
To delete an interface setting, select it and click the Delete
Row button.
Add/Edit Interface Specific Authentication Server Groups Dialog Box
Use the Add/Edit Interface Specific Authentication Server Groups dialog boxes to configure
interface-specific authentication for your connection profile policy. This setting overrides the global
authentication server group settings if the client connects to the specified interface.
If you are configuring the secondary AAA server for an SSL VPN on an ASA device, the settings are
specifically used for the secondary set of credentials that the user enters; this is reflected in the name of
the dialog box.
Navigation Path
Open the AAA Tab (Connection Profiles), page 27-21 or the Secondary AAA Tab (Connection Profiles),
page 27-25, then click Add Row below the (Secondary) Interface Specific Authentication Server Groups
table, or select a row in the table and click Edit Row.
Related Topics
•
Configuring Connection Profiles (ASA), page 26-18
•
Understanding Interface Role Objects, page 6-55
•
Understanding AAA Server and Server Group Objects, page 6-20
User Guide for Cisco Security Manager 4.0.1
27-24
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Field Reference
Table 27-18
Add/Edit (Secondary) Interface Specific Authentication Server Groups
Element
Description
Interface
The name of the interface or interface role (that identifies the
interfaces) for which you are configuring an authentication server
group. Click Select to select an interface or interface role or to create a
new interface role.
Server Group
The name of the authentication server group (LOCAL if the tunnel
group is configured on the local device). Enter the name of a AAA
server group object or click Select to select it from a list or to create a
new object.
When you are configuring secondary AAA, this group is used
specifically for the second credentials. You can specify different server
groups for primary and secondary credentials.
Use LOCAL if Server
Group Fails
Whether to fall back to the local database for authentication if the
selected authentication server group fails.
Use Primary Username
Whether to use the same username for the secondary credentials that
was used for the primary credentials. If you select this option, after
users authenticate with their primary credentials, they are prompted for
the secondary password only. If you do not select this option, the
secondary prompt requires both a username and password.
(Secondary authentication
only; SSL VPN on
ASA 8.2+ only.)
Secondary AAA Tab (Connection Profiles)
Use the Secondary AAA tab to configure the secondary AAA authentication parameters for an SSL VPN
connection profile policy for use with ASA 8.2+ devices. These settings do not apply to remote access
IPSec VPNs or Easy VPN topologies or to other device types.
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add button or select an entry and click the Edit
button; then select the Secondary AAA tab.
Related Topics
•
Configuring Connection Profiles (ASA), page 26-18
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-25
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Field Reference
Table 27-19
Connection Profile Secondary AAA Tab
Element
Description
Enable Double
Authentication
Whether to enable double authentication, which prompts the user for
two sets of credentials (username and password) before completing the
SSL VPN connection.
Secondary Authentication
Server Group
The name of the authentication server group (LOCAL if the tunnel
group is configured on the local device) to be used with the second set
of credentials. Enter the name of a AAA server group object or click
Select to select it from a list or to create a new object.
If you want to use different authentication server groups based on the
interface to which the client connects, configure the server groups in
the Secondary Interface-Specific Authentication Server Groups table at
the bottom of this tab (described below).
Use LOCAL if Server Group Whether to fall back to the local database for authentication if the
Fails
selected authentication server group fails.
Use Primary Username for
Secondary Authentication
Whether to use the same username for the secondary credentials that
was used for the primary credentials. If you select this option, after
users authenticate with their primary credentials, they are prompted for
the secondary password only. If you do not select this option, the
secondary prompt requires both a username and password.
Username for Session
The username that the software will use for the user session, either the
primary or secondary name. If you prompt for the primary name only,
select primary.
Note
Authorization
Authentication Server
By default, if there is more than one username, AnyConnect
remembers both usernames between sessions. In addition, the
head-end device might offer a feature to allow for
administrative control over whether the client remembers both
or neither usernames.
The server to use for authorization, either the primary authentication
server (defined on the AAA tab) or the secondary authentication server
configured on this tab.
User Guide for Cisco Security Manager 4.0.1
27-26
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Table 27-19
Connection Profile Secondary AAA Tab (Continued)
Element
Description
Distinguished Name
(DN) Secondary
Authorization Setting
How you want to use the distinguished name for authorization. A
distinguished name (DN) is a unique identification, made up of
individual fields, that can be used as the identifier when matching users
to a tunnel group. DN rules are used for enhanced certificate
authentication. Select from the following options to determine how the
DN is used during authorization:
•
Use Entire DN as the Username—Use the entire DN; do not focus
on any one field.
•
Specify Individual DN fields as the Username—Focus on
specific fields. Select a primary field, and optionally, a secondary
field. The default is to use only the user identification (UID) field.
Secondary Interface-Specific If you want to configure separate secondary authentication server
Authentication Server
groups for specific interfaces, so that clients connecting through that
Groups table
interface use a server group different from the global group, add the
interface to this table and configure the separate group. Any interface
not listed here uses the global authentication server group. The table
shows the server group and whether you are falling back to local
authentication if the server group is not available.
•
To add a secondary interface-specific authentication group to the
list, click the Add Row button and fill in the Add/Edit Interface
Specific Authentication Server Groups Dialog Box, page 27-24.
•
To edit an interface setting, select it and click the Edit Row button.
•
To delete an interface setting, select it and click the Delete
Row button.
IPSec Tab (Connection Profiles)
Use the IPsec tab of the Connection Profiles page to specify IPsec and IKE parameters for the
connection policy.
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add Row button or select an entry and click
the Edit Row button; then select the IPSec tab. For Easy VPN topologies, simply click the IPSec tab.
Related Topics
•
Configuring Connection Profiles (ASA), page 26-18
•
Configuring a Connection Profile Policy for Easy VPN, page 24-11
•
Understanding Easy VPN, page 24-1
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-27
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Field Reference
Table 27-20
Connection Profiles IPsec Tab
Element
Description
Preshared Key
The value of the preshared key for the connection profile. The
maximum length of a preshared key is 127 characters. Enter the key
again in the Confirm field.
Trustpoint Name
The name of the PKI enrollment policy object that defines the trustpoint
name if any trustpoints are configured. A trustpoint represents a
Certificate Authority (CA)/identity pair and contains the identity of the
CA, CA-specific configuration parameters, and an association with one
enrolled identity certificate.
Click Select to select the object from a list or to create a new object.
IKE Peer ID Validation
Select whether IKE peer ID validation is ignored (Do not check),
required, or checked only if supported by a certificate. During IKE
negotiations, peers must identify themselves to one another.
Enable Sending
Certificate Chain
Whether to enable the sending of the certificate chain for authorization.
A certificate chain includes the root CA certificate, identity certificate,
and key pair.
Enable Password Update with Whether to enable passwords to be updated with the RADIUS
RADIUS Authentication
authentication protocol. For more information, see Supported AAA
Server Types, page 6-21.
ISAKMP Keepalive
Whether to monitor ISAKMP keepalive. If you select the Monitor
Keepalive option, you can configure IKE keepalive as the default
failover and routing mechanism. Enter the following parameters:
•
Confidence Interval—The number of seconds that a device waits
between sending IKE keepalive packets.
•
Retry Interval—The number of seconds a device waits between
attempts to establish an IKE connection with the remote peer. The
default is 2 seconds.
For more information, see Understanding ISAKMP/IPsec Settings,
page 22-13.
Client Software Update table The VPN client revision level and URLs for client platforms. You can
configure different revision levels for All Windows Platforms,
Windows 95/98/ME, Windows NT4.0/2000/XP, or the VPN3002
Hardware Client.
To configure the client for a platform, select it, click the Edit Row
button, and fill in the IPSec Client Software Update Dialog Box,
page 27-29.
User Guide for Cisco Security Manager 4.0.1
27-28
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
IPSec Client Software Update Dialog Box
Use the IPsec Client Software Update dialog box to configure the specific revision level and image URL
of a VPN client.
Navigation Path
From the IPSec Tab (Connection Profiles), page 27-27, select a client type in the Client Software Update
table and click Edit.
Related Topics
•
Connection Profiles Page, page 27-18
•
Configuring Connection Profiles (ASA), page 26-18
Field Reference
Table 27-21
IPSec Client Software Update Dialog Box
Element
Description
Client Type
Type of client being modified.
Client Revisions
Revision level of the client.
Image URL
URL of the client software image.
SSL Tab (Connection Profiles)
Use the SSL tab of the Connection Profile dialog box to configure the WINS servers for the connection
profile policy, select a customized look and feel for the SSL VPN end-user logon web page, DHCP servers
to be used for client address assignment, and to establish an association between an interface and client
IP address pools. These settings do not apply to remote access IPSec VPNs or Easy VPN topologies.
Navigation Path
From the Connection Profiles Page, page 27-18, click the Add button or select an entry and click the Edit
button; then select the SSL tab.
Related Topics
•
Configuring Connection Profiles (ASA), page 26-18
•
Configuring WINS/NetBIOS Name Service (NBNS) Servers To Enable File System Access in SSL
VPNs, page 26-73
•
Understanding Network/Host Objects, page 6-62
•
Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 26-63
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-29
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Field Reference
Table 27-22
Connection Profile SSL Tab
Element
Description
WINS Servers List
The name of the WINS (Windows Internet Naming Server) servers list
to use for CIFS name resolution.
SSL VPN uses the CIFS protocol to access or share files on remote
systems. When you attempt a file-sharing connection to a Windows
computer by using its computer name, the file server you specify
corresponds to a specific WINS server name that identifies a resource
on the network.
A WINS servers list defines a list of WINS servers, which are used to
translate Windows file server names to IP addresses. The security
appliance queries the WINS servers to map WINS names to IP
addresses. You must configure at least one, and up to three WINS
servers for redundancy. The security appliance uses the first server on
the list for WINS/CIFS name resolution. If the query fails, it uses the
next server.
WINS server lists are predefined objects. If you want to use a different
WINS servers list, click Select to open the WINS Server List Selector
dialog box that lists all available WINS Servers list objects, and in
which you can create WINS Servers list objects.
DNS Group
The DNS group to use for the SSL VPN tunnel group. The DNS
group resolves the hostname to the appropriate DNS server for the
tunnel group.
Portal Page Customization
Specify the default SSL VPN customization profile in the field
provided. This profile defines the appearance of the portal page that
allows the remote user access to all resources available on the SSL
VPN networks.
Note
You can set up different login windows for different groups by
using a combination of customization profiles and groups. For
example, assuming that you had created a customization profile
called salesgui, you can create an SSL VPN group called sales
that uses that customization profile. You specify the group in
the General tab on the Customization Profiles dialog box.
Customization profiles are predefined objects. You can click Select to
open the SSL VPN Customization Selector dialog box, from which you
can make your selection or create new customization objects.
Override SVC Download
Click this check box if you want clientless users logging in under
specific tunnel groups to not have to wait for the download prompt to
expire before being presented with the clientless SSL VPN home page.
Instead, these users are immediately presented with the clientless SSL
VPN home page.
Reject Radius Message
Click this check box if you want to display to remote users a RADIUS
message about their authentication failure.
User Guide for Cisco Security Manager 4.0.1
27-30
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Table 27-22
Connection Profile SSL Tab (Continued)
Element
Description
Connection Aliases
Alias
The alternate name by which the tunnel group is referred to.
A group alias creates one or more alternate names by which a user can
refer to a tunnel group. This feature is useful when the same group is
known by several common names (such as “Devtest” and “QA”). If you
want the actual name of the tunnel group to appear on this list, you must
specify it as an alias. The group alias that you specify here appears on
the login page. Each tunnel group can have multiple aliases or no alias.
For more information, see Understanding Connection Profiles (ASA),
page 26-18.
Status
Specifies whether a group alias is enabled or not.
If enabled, the group alias appears in a list during login.
Create button
Opens the Add/Edit Connection Alias Dialog Box, page 27-32 for
creating a group alias.
Edit button
Opens the Add/Edit Connection Alias Dialog Box, page 27-32 for
editing the settings of a selected group alias in the table.
Delete button
Deleted one or more group aliases that are selected in the table.
Group URLs
URL
The URL associated with the tunnel group connection profile.
You can configure multiple URLs (or no URLs) for a tunnel group.
Each URL can be enabled or disabled individually. You must use a
separate specification for each URL, specifying the entire URL using
either the HTTP or HTTPS protocol.
For more information, see Understanding Connection Profiles (ASA),
page 26-18.
Status
Specifies whether a group URL is enabled or not. If enabled, it
eliminates the need to select a group during login.
Create button
Click to open the Add Group URL dialog box for creating a group URL.
See Add/Edit Connection URL Dialog Box, page 27-32.
Edit button
Select a group URL in the table, then click to open the Edit Group URL
dialog box to edit its settings. See Add/Edit Connection URL Dialog
Box, page 27-32.
Delete button
Select the rows of one or more group URLs, then click to remove from
the list.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-31
Chapter 27
Remote Access VPN Policy Reference
Connection Profiles Page
Add/Edit Connection Alias Dialog Box
Use the Add/Edit Connection Alias dialog box to create or edit a connection alias for an SSL VPN
connection profile. Specifying the connection alias creates one or more alternate names by which the
user can refer to a tunnel group.
Navigation Path
Open the SSL Tab (Connection Profiles), page 27-29, then click Create below the Connection Aliases
table, or select a row in the table and click Edit.
Related Topics
•
Connection Profiles Page, page 27-18
•
Configuring Connection Profiles (ASA), page 26-18
Field Reference
Table 27-23
Add/Edit Connection Profile > Add/Edit Connection Alias Dialog Box
Element
Description
Enabled
Indicates whether the connection alias is enabled or not.
Connection Alias
An alternative name for the connection profile.
The connection alias that you specify here appears in a list on the user’s
login page. Each group can have multiple aliases or no alias, each
specified in separate commands.
Add/Edit Connection URL Dialog Box
Use this dialog box to specify incoming URLs or IP addresses for the tunnel group. If a connection URL
is enabled in a tunnel group, the security appliance selects the associated tunnel group and presents the
user with only the username and password fields in the login window.
Note
You can configure multiple URLs or addresses (or none) for a group. Each URL or address can be
enabled or disabled individually.
You cannot associate the same URL or address with multiple groups. The security appliance verifies the
uniqueness of the URL or address before accepting the URL or address for a tunnel group.
Navigation Path
Open the SSL Tab (Connection Profiles), page 27-29, then click Create below the Group URLs table,
or select a row in the table and click Edit.
Related Topics
•
Connection Profiles Page, page 27-18
•
Configuring Connection Profiles (ASA), page 26-18
User Guide for Cisco Security Manager 4.0.1
27-32
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-24
Add/Edit Connection URL Dialog Box
Element
Description
Enabled
Indicates whether the connection URL is enabled or not.
Connection URL
Select a protocol (http or https) from the list, and specify the incoming
URL for the connection in the field provided.
Dynamic Access Page (ASA)
Use the Dynamic Access page to view the dynamic access policies (DAP) defined on the security
appliance. From this page, you can create, edit, or delete DAPs.
Use the Cisco Secure Desktop section to enable and download the Cisco Secure Desktop (CSD) software
on the selected ASA device. Cisco Secure Desktop provides a single, secure location for session activity
and removal on the client system, ensuring that sensitive data is shared only for the duration of an SSL
VPN session.
Note
The CSD client software must be installed and activated on a device in order for an SSL VPN policy to
work properly.
Tip
Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.
Navigation Path
•
(Device View) Select an ASA device; then select Remote Access VPN > Dynamic Access (ASA)
from the Policy selector.
•
(Policy View) Select Remote Access VPN > Dynamic Access (ASA) from the Policy Type selector.
Select an existing policy or create a new one.
Related Topics
•
Understanding Dynamic Access Policies, page 26-19
•
Configuring Dynamic Access Policies, page 26-20
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Cisco Secure Desktop Policies on ASA Devices, page 26-26
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-33
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-25
Dynamic Access Policy Page (ASA)
Element
Description
Priority
Priority of the configured dynamic access policy record.
Name
Name of the configured dynamic access policy record.
Network ACL
Name of the firewall ACL that applies to the session.
WebType ACL
Name of the WebType VPN ACL that applies to the session.
Port Forwarding
Name of the port forwarding list that applies to the session.
Bookmark
Name of the SSL VPN Bookmark object that applies to the session.
Terminate
Indicates whether the session is terminated or not.
Description
Additional information about the configured dynamic access policy.
Create button
Click this button to create a dynamic access policy. See Add/Edit
Dynamic Access Policy Dialog Box, page 27-35.
Edit button
Click this button to edit the selected dynamic access policy. See
Add/Edit Dynamic Access Policy Dialog Box, page 27-35.
Delete button
Click this button to delete the selected dynamic access policies.
Cisco Secure Desktop
For the procedure to configure CSD on an ASA device, see Configuring Cisco Secure Desktop Policies
on ASA Devices, page 26-26.
Enable
When selected, enables the CSD on the device. Enabling CSD loads the
specified Cisco Secure Desktop package. If you transfer or replace the
CSD package file, disable and then enable CSD to load the file.
Package
Specify the name of the File Object that identifies the Cisco Secure
Desktop package you want to upload to the device.
Version
Click Select to select an existing File Object or to create a new one. For
more information, see Add and Edit File Object Dialog Boxes,
page 28-24.
Note
Configure
The package version must be compatible with the ASA
operating system version. When you create a local policy in
Device view, the Version field indicates the CSD package
version you should select. (The version is included in the
package file name. For example,
securedesktop-asa_k9-3.3.0.118.pkg is CSD version
3.3.0.118.) When you create a shared policy in Policy view, the
Version field indicates the version of the CSD file you selected.
For more information on version compatibility, see
Understanding and Managing SSL VPN Support Files,
page 26-5.
Click Configure to open the Cisco Secure Desktop Manager (CSDM)
Policy Editor that lets you configure CSD on the security appliance. For
a description of the elements in this dialog box, see Cisco Secure
Desktop Manager Policy Editor Dialog Box, page 27-59.
User Guide for Cisco Security Manager 4.0.1
27-34
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Add/Edit Dynamic Access Policy Dialog Box
Use the Add/Edit Dynamic Access Policy dialog box to configure the dynamic access policies (DAP) on
your security appliance. You can specify a name for the dynamic access policy that you are adding, select
the priority, specify attributes in a LUA expression, and set attributes for network and webtype ACL filters,
file access, HTTP proxy, URL entry and lists, port forwarding, and clientless SSL VPN access methods.
Note
For detailed information about dynamic access policy attributes, see Understanding DAP Attributes,
page 26-22
These tabs are available in the Add/Edit Dynamic Access Policy dialog box:
•
Main Tab, page 27-36
•
Logical Operators Tab, page 27-55
•
Advanced Expressions Tab, page 27-58
Navigation Path
Open the Dynamic Access Page (ASA), page 27-33, then click Create, or select a dynamic access policy
in the table and click Edit. The Add/Edit Dynamic Access Policy dialog box is displayed.
Related Topics
•
Understanding Dynamic Access Policies, page 26-19
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-26
Add/Edit Dynamic Access Policy Dialog Box
Element
Description
Name
The name of the dynamic access policy record (up to 128 characters).
Priority
A priority for the dynamic access policy record. The security appliance
applies access policies in the order you set here, highest number having the
highest priority. In the case of dynamic access policy records with the same
priority setting and conflicting ACL rules, the most restrictive rule applies.
Description
Additional information about the dynamic access policy record (up to
1024 characters).
Main tab
Enables you to add a dynamic access policy entry and set attributes for the
access policy depending on the type of remote access that you configure.
For a description of the elements on this tab, see Main Tab, page 27-36.
Logical Operators tab
Enables you to create multiple instances of each type of endpoint attribute.
For a description of the elements on this tab, see Logical Operators Tab,
page 27-55.
Advanced
Expressions tab
Enables you to configure one or more logical expressions to set AAA
or endpoint attributes other than what is possible in the AAA and
Endpoint areas.
For a description of the elements on this tab, see Advanced Expressions Tab,
page 27-58.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-35
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Main Tab
Use the Main tab of the Add/Edit Dynamic Access Policy dialog box to configure the dynamic access
policy attributes and the type of remote access method supported your security appliance. You can set
attributes for network and webtype ACL filters, file access, HTTP proxy, URL entry and lists, port
forwarding, and clientless SSL VPN access methods.
Navigation Path
The Main tab appears when you open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35.
Related Topics
•
Configuring Dynamic Access Policies, page 26-20
•
Configuring DAP Attributes, page 26-25
Field Reference
Table 27-27
Add/Edit Dynamic Access Policy Dialog Box > Main Tab
Element
Description
Criteria ID
The AAA and endpoint selection attribute names that are available for
dynamic access policy use.
Content
Values of the AAA and endpoint attributes criteria that the security appliance
uses for selecting and applying a dynamic access policy record during
session establishment. Attribute values that you configure here override
authorization values in the AAA system, including those in existing group
policy, tunnel group, and default group records.
Create button
Click this button to configure AAA and endpoint attributes as selection
criteria for the DAP record. See Add/Edit DAP Entry Dialog Box,
page 27-40.
Edit button
Click this button to edit the selected dynamic access policy. See Add/Edit
DAP Entry Dialog Box, page 27-40.
Delete button
Click this button to delete the selected dynamic access policies.
Access Method
Specify the type of remote access permitted:
•
Unchanged—Continue with the current remote access method.
•
AnyConnect Client—Connect using the Cisco AnyConnect VPN Client.
•
Web Portal—Connect with clientless VPN.
•
Both default Web Portal—Connect via either clientless or the
AnyConnect client, with a default of clientless.
•
Both default AnyConnect Client—Connect via either clientless or the
AnyConnect client, with a default of AnyConnect.
Network ACL tab—Lets you select and configure network ACLs to apply to this dynamic access
policy. An ACL for a dynamic access policy can contain permit or deny rules, but not both. If an ACL
contains both permit and deny rules, the security appliance rejects it.
User Guide for Cisco Security Manager 4.0.1
27-36
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Table 27-27
Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued)
Element
Description
Network ACL
Lists the Access Control Lists (ACLs) that will be used to restrict user access
to the SSL†VPN.
Click the Select button to open the Access Control Lists Selector from which
you can make your selection. The ACL contains conditions that describe a
traffic stream of packets, and actions that describe what should occur based on
those conditions. Only ACLs having all permit or all deny rules are eligible.
WebType ACL tab—Lets you select and configure web-type ACLs to apply to this dynamic access
policy. An ACL for a dynamic access policy can contain only permit or deny rules. If an ACL contains
both permit and deny rules, the security appliance rejects it.
Web Type ACL
Specifies the WebType access control list that will be used to restrict user
access to the SSL†VPN.
Click the Select button to open the Access Control Lists Selector from which
you can make your selection. Only ACLs having all permit or all deny rules
are eligible.
Functions tab—Lets you configure file server entry and browsing, HTTP proxy, and URL entry for the
dynamic access policy.
File Server Browser
Specify the file server browsing setting to be configured on the portal page:
•
Unchanged—Uses values from the group policy that applies to
this session.
•
Enable—Enables CIFS browsing for file servers or shared features.
•
Disable—Disables CIFS browsing for file servers or shared features.
Note
Browsing requires NBNS (Master Browser or WINS). If that fails or
is not configured, we use DNS.
The CIFS browse feature does not support internationalization.
File Server Entry
Specify the file server entry setting to be configured on the portal page:
•
Unchanged—Uses values from the group policy that applies to
this session.
•
Enable—Enables a user from entering file server paths and names on
the portal page.
When enabled, places the file server entry drawer on the portal page.
Users can enter pathnames to Windows files directly. They can
download, edit, delete, rename, and move files. They can also add files
and folders. Shares must also be configured for user access on the
applicable Windows servers. Users might have to be authenticated
before accessing files, depending on network requirements.
•
Disable—Disables a user from entering file server paths and names on
the portal page.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-37
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Table 27-27
Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued)
Element
Description
HTTP Proxy
Specify how you want to configure the security appliance to terminate
HTTPS connections and forward HTTP/HTTPS requests to HTTP and
HTTPS proxy servers:
•
Unchanged—Uses values from the group policy that applies to
this session.
•
Enable—Allows the forwarding of an HTTP applet proxy to the client.
The proxy is useful for technologies that interfere with proper content
transformation, such as Java, ActiveX, and Flash. It bypasses mangling
while ensuring the continued use of the security appliance. The
forwarded proxy modifies the browser’s old proxy configuration and
redirects all HTTP and HTTPS requests to the new proxy configuration.
It supports virtually all client side technologies, including HTML, CSS,
JavaScript, VBScript, ActiveX, and Java. The only browser it supports
is Microsoft Internet Explorer.
URL Entry
•
Disable—Disables the forwarding of an HTTP applet proxy to the client.
•
Auto-start—Enables HTTP proxy and to have the DAP record
automatically start the applets associated with these features.
Using SSL VPN does not ensure that communication with every site is
secure. SSL VPN ensures the security of data transmission between the
remote user’s PC or workstation and the security appliance on the corporate
network. If a user then accesses a non-HTTPS web resource (located on the
Internet or on the internal network), the communication from the corporate
security appliance to the destination web server is not secured.
In a clientless VPN connection, the security appliance acts as a proxy
between the end user web browser and target web servers. When a user
connects to an SSL-enabled web server, the security appliance establishes a
secure connection and validates the server SSL certificate. The end user
browser never receives the presented certificate, so therefore cannot examine
and validate the certificate. The current implementation of SSL VPN does
not permit communication with sites that present expired certificates.
Neither does the security appliance perform trusted CA certificate
validation. Therefore, users cannot analyze the certificate an SSL-enabled
web-server presents before communicating with it.
Specify how the URL entry setting must be configured on the portal page:
•
Unchanged—Uses values from the group policy that applies to
this session.
•
Enable—Allows a user from entering HTTP/HTTPS URLs on the portal
page. If this feature is enabled, users can enter web addresses in the URL
entry box, and use clientless SSL VPN to access those websites.
•
Disable—Disables a user from entering HTTP/HTTPS URLs on the
portal page.
Note
To limit Internet access for users, select Disable for the URL Entry
field. This prevents SSL VPN users from surfing the Web during a
clientless VPN connection.
User Guide for Cisco Security Manager 4.0.1
27-38
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Table 27-27
Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued)
Element
Description
Port Forwarding tab—Lets you select and configure port forwarding lists for user sessions.
Note
Caution
Port Forwarding does not work with some SSL/TLS versions.
Make sure Sun Microsystems Java Runtime Environment (JRE) 1.4+ is installed on the
remote computers to support port forwarding (application access) and digital certificates.
Port Forwarding
Port Forwarding List
Select an option for the port forwarding lists that apply to this DAP record:
•
Unchanged—Removes the attributes from the running configuration.
•
Enable—Enables port forwarding on the device.
•
Disable—Disables port forwarding on the device.
•
Auto-start—Enables port forwarding, and to have the DAP record
automatically start the port forwarding applets associated with its port
forwarding lists.
The Port Forwarding List, that defines the mapping of the port number on
the client machine to the application’s IP address and port behind the SSL
VPN gateway.
You can click Select to open the Port Forwarding List Selector from which
you can select the required Port Forwarding List from a list of Port
Forwarding List objects. A Port Forwarding List object defines the mappings
of port numbers on the remote client to the application’s IP address and port
behind the SSL VPN gateway.
Bookmark tab—Lets you enable and configure SSL VPN bookmarks. When enabled, users who
successfully log into the SSL VPN are presented with the portal page containing the list of defined
bookmarks. These bookmarks enable users to access resources available on SSL VPN websites in
Clientless access mode.
Enable Bookmarks
When selected, enables bookmarks on the SSL VPN portal page.
Bookmarks
A list of websites that will be displayed on the portal page as a bookmark to
enable users to access the resources available on the SSL VPN websites.
You can click Select to open the Bookmarks Selector from which you can
select the required bookmark from a list or create a new bookmark, as desired.
Action tab—Specifies special processing to apply to a specific connection or session.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-39
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Table 27-27
Add/Edit Dynamic Access Policy Dialog Box > Main Tab (Continued)
Element
Description
Terminate
When selected, terminates the session. By default, the access policy
attributes are applied to the session and it is running.
User Message
Enter a text message to display on the portal page when this DAP record is
selected. Maximum 128 characters. A user message displays as a yellow orb.
When a user logs on it blinks three times to attract attention, and then it is
still. If several DAP records are selected, and each of them has a user
message, all user messages display.
Note
You can include in such messages URLs or other embedded text,
which require that you use the correct HTML tags.
For example: All contractors please read <a
href=‘http://wwwin.abc.com/procedure.html’> Instructions</a> for
the procedure to upgrade your antivirus software.
Add/Edit DAP Entry Dialog Box
Use the Add/Edit DAP Entry dialog box to specify the authorization attributes and endpoint attributes
for a dynamic access policy. The security appliance selects the dynamic access policy based on the
endpoint security information of the remote device and the AAA authorization information for the
authenticated user. It then applies the dynamic access policy to the user tunnel or session.
Note
For detailed information about dynamic access policy attributes, see Understanding DAP Attributes,
page 26-22
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
User Guide for Cisco Security Manager 4.0.1
27-40
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-28
Add/Edit DAP Entry Dialog Box
Element
Description
Criterion
Select the authorization or endpoint attribute from the list. It serves as the
selection criterion that the security appliance uses for selecting and applying
dynamic access policies during session establishment.
•
AAA Attributes Cisco—Refers to user authorization attributes that are
stored in the AAA hierarchical model. See Add/Edit DAP Entry Dialog
Box > AAA Attributes Cisco, page 27-42
•
AAA Attributes LDAP—Sets the LDAP client stores all native LDAP
response attribute value pairs in a database associated with the AAA
session for the user. See Add/Edit DAP Entry Dialog Box > AAA
Attributes LDAP, page 27-43.
•
AAA Attributes RADIUS—Sets the RADIUS client stores all native
RADIUS response attribute value pairs in a database associated with the
AAA session for the user. See Add/Edit DAP Entry Dialog Box > AAA
Attributes RADIUS, page 27-44.
•
Anti-Spyware—Creates an endpoint attribute of type Anti-Spyware. You
can use the Host Scan modules of Cisco Secure Desktop to scan for
antispyware applications and updates that are running on the remote
computer. See Add/Edit DAP Entry Dialog Box > Anti-Spyware,
page 27-45.
•
Anti-Virus—Creates an endpoint attribute of type Anti-Virus. You can use
the Host Scan modules of Cisco Secure Desktop to scan for antivirus
applications and updates that are running on the remote computer. See
Add/Edit DAP Entry Dialog Box > Anti-Virus, page 27-46.
•
Application—Indicates the type of remote access connection. See
Add/Edit DAP Entry Dialog Box > Application, page 27-47.
•
File—Creates an endpoint attribute of type File. Filename checking to be
performed by Basic Host Scan must be explicitly configured using Cisco
Secure Desktop Manager. See Add/Edit DAP Entry Dialog Box > File,
page 27-49.
•
NAC—Creates an endpoint attribute of type NAC. NAC protects the
enterprise network from intrusion and infection from worms, viruses, and
rogue applications by performing endpoint compliancy. We refer to these
checks as posture†validation. See Add/Edit DAP Entry Dialog Box >
NAC, page 27-50.
•
Operating System—Creates an endpoint attribute of type Operating
System. The prelogin assessment module of the CSD can check the
remote device for the OS version, IP address, and Microsoft Windows
registry keys. See Add/Edit DAP Entry Dialog Box > Operating System,
page 27-51.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-41
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Table 27-28
Add/Edit DAP Entry Dialog Box (Continued)
Element
Description
Criterion (cont.)
•
Personal Firewall—Creates an endpoint attribute of type Personal
Firewall. You can use the Host Scan modules of Cisco Secure Desktop to
scan for personal firewall applications and updates that are running on the
remote computer. For a description of the elements in the dialog box, see
Add/Edit DAP Entry Dialog Box > Personal Firewall, page 27-51.
•
Policy—Creates an endpoint attribute of type Policy. See Add/Edit DAP
Entry Dialog Box > Policy, page 27-52.
•
Process—Process name checking to be performed by Basic Host Scan
must be explicitly configured using Cisco Secure Desktop Manager. See
Add/Edit DAP Entry Dialog Box > Process, page 27-53.
•
Registry—Creates an endpoint attribute of type Registry. Registry key
scans apply only to computers running Windows Microsoft Windows
operating systems. See Add/Edit DAP Entry Dialog Box > Registry,
page 27-54.
Description
Additional information about the dynamic access policy (up to 1024 characters).
Main tab
Enables you to add a dynamic access policy entry and set attributes for the
access policy depending on the type of remote access that you configure.
For a description of the elements on this tab, see Main Tab, page 27-36.
Logical Operators tab Enables you to create multiple instances of each type of endpoint attribute.
For a description of the elements on this tab, see Logical Operators Tab,
page 27-55.
Advanced
Expressions tab
Enables you to configure multiple instances of each type of endpoint attribute.
For a description of the elements on this tab, see Advanced Expressions Tab,
page 27-58.
Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco
To configure AAA attributes as selection criteria for dynamic access policies, in the Add/Edit DAP Entry
dialog box, set AAA Attributes Cisco as the selection criterion to be used to select and apply the dynamic
access policies during session establishment. You can set these attributes either to match or not match
the value you enter. There is no limit for the number of AAA attributes for each dynamic access policy.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select AAA Attributes Cisco as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
User Guide for Cisco Security Manager 4.0.1
27-42
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-29
Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco
Element
Description
Criterion
Shows AAA Attributes Cisco as the selection criterion.
Class
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the name of the AAA server group associated
with the user. The maximum length is 64 characters.
AAA server groups represent collections of authentication servers focused
on enforcing specific aspects of your overall network security policy.
IP Address
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the assigned IP address.
Addresses are predefined network objects. You can also click Select to open
a dialog box that lists all available network hosts, and in which you can
create or edit network host objects.
Member-of
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter a comma-separated string of group policy
names that apply to the user. This attribute lets you indicate multiple group
membership. The maximum length is 128 characters.
Username
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the username of the authenticated user. A
maximum of 64 characters is allowed.
Connection Profiles
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and select the connection profile from a list of all the SSL
VPN Connection Profile policies defined on the security appliance.
An SSL VPN connection profile comprises a set of records that contain VPN
tunnel connection profile policies, including the attributes that pertain to
creating the tunnel itself.
Note
For a description of the procedure to configure an SSL VPN
Connection Profiles policy, see Configuring Connection Profiles
(ASA), page 26-18.
Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP
The LDAP client stores all native LDAP response attribute value pairs in a database associated with the
AAA session for the user. The LDAP client writes the response attributes to the database in the order in
which it receives them. It discards all subsequent attributes with that name. This scenario might occur
when a user record and a group record are both read from the LDAP server. The user record attributes
are read first, and always have priority over group record attributes.
To support Active Directory group membership, the AAA LDAP client provides special handling of the
LDAP memberOf response attribute. The AD memberOf attribute specifies the DN string of a group
record in AD. The name of the group is the first CN value in the DN string. The LDAP client extracts
the group name from the DN string and stores it as the AAA memberOf attribute, and in the response
attribute database as the LDAP memberOf attribute. If there are additional memberOf attributes in the
LDAP response message, then the group name is extracted from those attributes and is combined with
the earlier AAA memberOf attribute to form a comma separated string of group names, also updated in
the response attribute database.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-43
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select AAA Attributes LDAP as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-30
Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP
Element
Description
Criterion
Shows AAA Attributes LDAP as the selection criterion.
Attribute ID
Specify the name of the LDAP attribute map in the dynamic access policy.
LDAP attribute maps take the attribute names that you define and map them
to Cisco-defined attributes. A maximum of 64 characters is allowed.
Value
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the custom map value that maps to a Cisco Map
Value or enter the Cisco map value that maps to the Custom Map Value.
The attribute map is populated with value mappings that apply customer,
user-defined attribute values to the customer attribute name and to the
matching Cisco attribute name and value.
Add/Edit DAP Entry Dialog Box > AAA Attributes RADIUS
The RADIUS client stores all native RADIUS response attribute value pairs in a database associated with
the AAA session for the user. The RADIUS client writes the response attributes to the database in the
order in which it receives them. It discards all subsequent attributes with that name. This scenario might
occur when a user record and a group record are both read from the RADIUS server. The user record
attributes are read first, and always have priority over group record attributes.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select AAA Attributes RADIUS as the Criterion.
User Guide for Cisco Security Manager 4.0.1
27-44
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-31
Add/Edit DAP Entry Dialog Box > AAA Attributes RADIUS
Element
Description
Criterion
Shows AAA Attributes RADIUS as the selection criterion.
Attribute ID
Specify the name of the RADIUS attribute name or number in the dynamic
access policy. A maximum of 64 characters is allowed.
RADIUS attribute names do not contain the cVPN3000 prefix to better
reflect support for all three security appliances (VPN 3000, PIX, and the
ASA). The appliances enforce the RADIUS attributes based on attribute
numeric ID, not attribute name. LDAP attributes are enforced by their name,
not by the ID.
Value
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the attribute value.
Add/Edit DAP Entry Dialog Box > Anti-Spyware
You can use the Host Scan feature of the Cisco Secure Desktop feature to enable Endpoint Assessment,
a scan for antivirus, personal firewall, and antispyware applications and updates that are running on the
remote computer. Following the configuration of the prelogin policies and host scan options, you can
configure a match of any one or any combination of the Host Scan results to assign a dynamic access
policy following the user login.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Anti-Spyware as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-45
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-32
Add/Edit DAP Entry Dialog Box > Anti-Spyware
Element
Description
Criterion
Shows Anti-Spyware as the selection criterion.
Type
Select the matching criteria to indicate whether the selected endpoint
attribute and its accompanying qualifiers (fields below the Product ID field)
should be present or not.
Vendor Name
Select the text that describes the application vendor from the list.
Product ID
Select a unique identifier for the product that is supported by the selected
vendor from the list.
Product Description
Available only if you selected Matches as the Type.
Select the check box, then select the description of the product from the list.
Version
Available only if you selected Matches as the Type.
Identify the version of the application, and specify whether you want the
endpoint attribute to be equal to/not equal to that version.
Last Update
Available only if you selected Matches as the Type.
Specify the number of days since the last update. You might want to indicate
that an update should occur in less than or greater than the number of days
you enter here.
Add/Edit DAP Entry Dialog Box > Anti-Virus
You can configure a scan for antivirus applications and updates as a condition for the completion of a
Cisco AnyConnect or clientless SSL VPN connection. Following the prelogin assessment, Cisco Secure
Desktop loads Endpoint Assessment checks and reports the results back to the security appliance for use
in assigning a dynamic access policy.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Anti-Virus as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
User Guide for Cisco Security Manager 4.0.1
27-46
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-33
Add/Edit DAP Entry Dialog Box > Anti-Virus
Element
Description
Criterion
Shows Anti-Virus as the selection criterion.
Type
Select the matching criteria to indicate whether the selected endpoint
attribute and its accompanying qualifiers (fields below the Product ID field)
should be present or not.
Vendor Name
Select the text that describes the application vendor from the list.
Product ID
Select a unique identifier for the product that is supported by the selected
vendor from the list.
Product Description
Available only if you selected the criteria to match the endpoint attribute for
the dynamic access policy.
Select the check box, then select the description of the product from the list.
Version
Available only if you selected the criteria to match the endpoint attribute for
the dynamic access policy.
Identify the version of the application, and specify whether you want the
endpoint attribute to be equal to/not equal to that version.
Last Update
Available only if you selected the criteria to match the endpoint attribute for
the dynamic access policy.
Specify the number of days since the last update. You might want to indicate
that an update should occur in less than or greater than the number of days
you enter here.
Add/Edit DAP Entry Dialog Box > Application
Use this dialog box to indicate the type of remote access connection as the endpoint attribute for the
dynamic access policy.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Application as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-47
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-34
Add/Edit DAP Entry Dialog Box > Application
Element
Description
Criterion
Shows Application as the selection criterion.
Client Type
Select the check box, then select the matching criteria (for example, isor
isn’t) from the drop-down list, and specify the type of remote access
connection from the list: AnyConnect, Clientless, Cut-through Proxy,
IPsec, or L2TP.
Note
If you select AnyConnect as the client type, make sure to enable
Cisco Secure Desktop. If it is not enabled, Security Manager
generates an error.
Add/Edit DAP Entry Dialog Box > Device
The DAP Device Criterion lets you provide specific device information for use during the associated
prelogin policy checking. You can provide one or more of the following attributes for a device—host
name, MAC address, port number, Privacy Protection selection—and indicate whether each is or isn’t to
be matched.
Note that isn’t is exclusionary. For example, if you specify the criterion Host Name isn’t zulu_2, all
devices not named zulu_2 will match.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Choose Device as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-35
Add/Edit DAP Entry Dialog Box > Device
Element
Description
Criterion
Shows Device as the selected Criterion.
Host Name
Select this option, choose a match criterion (is or isn’t) from the related
drop-down list, and then enter the device host name to be matched.
MAC Address
Select this option, choose a match criterion (is or isn’t) from the related
drop-down list, and then enter the device’s MAC address to be matched.
Port Number
Select this option, choose a match criterion (is or isn’t), and then enter or
Select the device port to be matched.
Privacy Protection
Select this option, choose a match criterion (is or isn’t), and then choose the
Privacy Protection option defined on the device: none, cache cleaner, or
secure desktop.
User Guide for Cisco Security Manager 4.0.1
27-48
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Add/Edit DAP Entry Dialog Box > File
The file criterion prelogin check lets you specify that a certain file must or must not exist to be eligible
for the associated prelogin policy. For example, you might want to use a file prelogin check to ensure a
corporate file is present or one or more peer-to-peer file-sharing programs containing malware are not
present before assigning a prelogin policy.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select File as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-36
Add/Edit DAP Entry Dialog Box > File
Element
Description
Criterion
Shows File as the selection criterion.
Type
Specify whether this endpoint attribute must match or not match the
criteria configured for selecting and applying dynamic access policies
during session establishment.
Endpoint ID
Select a string that identifies an endpoint for files. Dynamic access
policies use this ID to match Cisco Secure Desktop host scan attributes
for dynamic access policy selection. You must configure Host Scan
before you configure this attribute. When you configure Host Scan, the
configuration displays in this pane, so you can select it, reducing the
possibility of errors in typing or syntax.
Filename
Specify the filename.
Last Update
Available only if you selected the criteria to match the endpoint
attribute for the dynamic access policy.
Specify the number of days since the last update. You might want to
indicate that an update should occur in less than (<) or more than (>)
the number of days you enter here.
Checksum
Available only if you selected the criteria to match the endpoint
attribute for the DAP record.
Select the check box to specify a checksum to authenticate the file, then
enter a checksum in hexadecimal format, beginning with 0x.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-49
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Add/Edit DAP Entry Dialog Box > NAC
NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue
applications by performing endpoint compliancy and vulnerability checks as a condition for production
access to the network. We refer to these checks as posture†validation. You can configure posture
validation to ensure that the anti-virus files, personal firewall rules, or intrusion protection software on
a host with an AnyConnect or Clientless SSL VPN session are up-to-date before providing access to
vulnerable hosts on the intranet. Posture validation can include the verification that the applications
running on the remote hosts are updated with the latest patches. NAC occurs only after user
authentication and the setup of the tunnel. NAC is especially useful for protecting the enterprise network
from hosts that are not subject to automatic network policy enforcement, such as home PCs. The security
appliance uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate
the posture of remote hosts.
The establishment of a tunnel between the endpoint and the security appliance triggers posture
validation. You can configure the security appliance to pass the IP address of the client to an optional
audit server if the client does not respond to a posture validation request. The audit server, such as a
Trend server, uses the host IP address to challenge the host directly to assess its health. For example, it
may challenge the host to determine whether its virus checking software is active and up-to-date. After
the audit server completes its interaction with the remote host, it passes a token to the posture validation
server, indicating the health of the remote host.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select NAC as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-37
Add/Edit DAP Entry Dialog Box > NAC
Element
Description
Criterion
Shows NAC as the selection criterion.
Posture Status
Select the matching criteria (for example, is) from the drop-down list,
then enter the posture token string received from ACS.
User Guide for Cisco Security Manager 4.0.1
27-50
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Add/Edit DAP Entry Dialog Box > Operating System
The prelogin assessment includes a check for the OS attempting to establish a VPN connection. When
the user attempts to connect, however, Cisco Secure Desktop checks for the OS, regardless of whether
you insert an OS prelogin check.
If the prelogin policy assigned to the connection has Secure Desktop (Secure Session) enabled and if the
remote PC is running Microsoft Windows XP or Windows 2000, it installs Secure Session, regardless of
whether you insert an OS prelogin check. If the prelogin policy has Secure Desktop enabled and the
operating system is Microsoft Windows Vista, Mac OS X 10.4, or Linux, Cache Cleaner runs instead.
Therefore, you should make sure the Cache Cleaner settings are appropriate for a prelogin policy on
which you have configured Secure Desktop or Cache Cleaner to install. Although Cisco Secure Desktop
checks for the OS, you may want to insert an OS prelogin check as a condition for applying a prelogin
policy to isolate subsequent checks for each OS.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Operating System as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-38
Add/Edit DAP Entry Dialog Box > Operating System
Element
Description
Criterion
Shows Operating System as the selection criterion.
OS Version
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and select the OS version from the list: Windows
(various), MAC, Linux, Pocket PC.
Service Pack
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and select the service pack for the operating system.
Add/Edit DAP Entry Dialog Box > Personal Firewall
You can click Host Scan in the Cisco Secure Desktop interface to enable Endpoint Assessment, a scan for
personal firewalls that are running on the remote computer. Most, but not all, personal firewall programs
support active scan, which means that the programs are memory-resident, and therefore always running.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-51
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select AAA Attributes Cisco as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-39
Add/Edit DAP Entry Dialog Box > Personal Firewall
Element
Description
Criterion
Shows Personal Firewall as the selection criterion.
Type
Select one of the following options and assign the associated values:
•
Matches—Select if the mere presence of the named personal firewall
on the remote PC is sufficient to match the prelogin policy you
are configuring.
•
Doesn’t Match—Select if the absence of the named personal firewall
from the remote PC is sufficient to match the prelogin policy you
are configuring.
Vendor Name
Select the text that describes the application vendor from the list.
Product ID
Select a unique identifier for the product that is supported by the selected
vendor from the list.
Product Description
Available only if you selected that this endpoint attribute and all its settings
must be available on the remote PC.
Select the check box, then select the description of the product from the list.
Version
Available only if you selected that this endpoint attribute and all its settings
must be available on the remote PC.
Identify the version of the application, and specify whether you want the
endpoint attribute to be equal to/not equal to that version.
Add/Edit DAP Entry Dialog Box > Policy
Windows locations let you determine how clients connect to your virtual private network, and protect it
accordingly. For example, clients connecting from within a workplace LAN on a 10.x.x.x network
behind a NAT device are an unlikely risk for exposing confidential information. For these clients, you
might set up a Cisco Secure Desktop Windows Location named Work that is specified by IP addresses
on the 10.x.x.x network, and disable both the Cache Cleaner and the Secure Desktop function for this
location. Cisco Secure Desktop checks locations in the order listed on the Windows Location Settings
window, and grants privileges to client PCs based on the first location definition they match.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
User Guide for Cisco Security Manager 4.0.1
27-52
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Policy as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-40
Add/Edit DAP Entry Dialog Box > Policy
Element
Description
Criterion
Shows Policy as the selection criterion.
Location
Select the matching criteria (for example, is) from the drop-down list,
and select the Cisco Secure Desktop Microsoft Windows location
profile from the list. All the locations configured in the Cisco Secure
Desktop Manager are displayed in this list.
Add/Edit DAP Entry Dialog Box > Process
You can specify a set of process names, which form a part of Basic Host Scan. The host scan, which
includes Basic Host Scan and Endpoint Assessment, or Advanced Endpoint Assessment; occurs after the
prelogin assessment but before the assignment of a dynamic access policy. Following the Basic Host
Scan, the security appliance uses the login credentials, the host scan results, prelogin policy, and other
criteria you configure to assign a DAP.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Process as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-53
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-41
Add/Edit DAP Entry Dialog Box > Process
Element
Description
Criterion
Shows Process as the selection criterion.
Type
Select one of the following options and assign the associated values:
•
Matches—Select if the mere presence of the named process on the
remote PC is sufficient to match the prelogin policy you are configuring.
•
Doesn’t Match—Select if the absence of the named process from the
remote PC is sufficient to match the prelogin policy you are configuring.
Endpoint ID
A string that identifies an endpoint for files, processes or registry entries.
Dynamic access policies use this ID to match Cisco Secure Desktop host
scan attributes for dynamic access policy selection. You must configure Host
Scan before you configure this attribute. When you configure Host Scan, the
configuration displays in this pane, so you can select it, reducing the
possibility of errors in typing or syntax.
Path
Select the check box, then select the matching criteria (for example, is) from
the drop-down list, and enter the name of the process. You can display it in
Microsoft Windows by opening the Windows Task Manager window and
clicking the Processes tab.
Configure Host Scan before you configure this attribute. When you
configure Host Scan, the configuration displays in this pane, so you can
select it and specify the same index when you assign this entry as an endpoint
attribute when configuring a DAP, reducing the possibility of errors in typing
or syntax.
Add/Edit DAP Entry Dialog Box > Registry
Registry key scans apply only to computers running Windows Microsoft Windows operating systems.
Basic Host Scan ignores registry key scans if the computer is running Mac OS or Linux.
Note
Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint
attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35 with the Main tab selected, then
click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry
dialog box is displayed. Select Registry as the Criterion.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
User Guide for Cisco Security Manager 4.0.1
27-54
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-42
Add/Edit DAP Entry Dialog Box > Registry
Element
Description
Criterion
Shows Registry as the selection criterion.
Type
Select one of the following options and assign the associated values:
•
Matches—Select if the mere presence of the named registry key on the
remote PC is sufficient to match the prelogin policy you are configuring.
For example, select this option if you want to require the following
registry key to be present to match a criterion for assigning a prelogin
policy:
HKEY_LOCAL_MACHINE\SOFTWARE\<Protective_Software>
•
Doesn’t Match—Select if the absence of the named registry key from
the remote PC is sufficient to match the prelogin policy you are
configuring. For example, select this option if you want to require the
following registry key to be absent to match a criterion for assigning a
prelogin policy:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVer
sion\Run\<Evil_SpyWare>
Registry Name
Select the text that describes the registry name from the list.
Endpoint ID
A string that identifies an endpoint for files, processes or registry entries.
Dynamic access policies use this ID to match Cisco Secure Desktop host
scan attributes for dynamic access policy selection. You must configure Host
Scan before you configure this attribute. When you configure Host Scan, the
configuration displays in this pane, so you can select it, reducing the
possibility of errors in typing or syntax.
Value
Select the value, dword or string, from the list, then select the matching
criteria (whether it equals or does not equal), and enter a decimal or a
string to compare with the dword or string value of the registry key on the
remote PC.
Note
Ignore Case
“DWORD” refers to the attribute in the Add/Edit Registry Criterion
dialog box. “Dword” refers to the attribute as it appears in the
registry key. Use the regedit application, accessed on the Windows
command line, to view the Dword value of a registry key, or use it to
add a Dword value to the registry key to satisfy the requirement you
are configuring.
When selected, ignores the case in the registry entry if it includes a string.
Logical Operators Tab
Use the Logical Operators tab of the Add/Edit Dynamic Access Policy dialog box to configure multiple
instances of the AAA and each type of endpoint attribute that you defined in the DAP Entry dialog box.
On this tab, set each type of endpoint or AAA attribute to require only one instance of a type (Match
Any = OR) or to have all instances of a type (Match All = AND).
•
If you configure only one instance of an endpoint category, you do not need to set a value.
•
For some endpoint attributes, it is not useful to configure multiple instances. For example, no users
have more than one running OS.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-55
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
•
You are configuring the Match Any/Match All operation within each endpoint type. The security
appliance evaluates each type of endpoint attribute, and then performs a logical AND operation on
all of the configured endpoints. That is, each user must satisfy the conditions of ALL of the
endpoints you configure, as well as the AAA attributes.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35, then click the Logical Operators tab.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Field Reference
Table 27-43
Add/Edit Dynamic Access Policy Dialog Box > Logical Operators Tab
Element
Description
AAA
Select one of the following options if you defined the AAA attribute in the
dynamic access policy:
Anti-Spyware
Anti-Virus
•
Match Any—Creates an OR relationship among the attributes.
Attributes matching any of your criteria are included in the filter. The
security appliance grants access to a particular user for a particular
session even if any one of the attributes is matching all your criteria.
•
Match All—Creates an AND relationship among the attributes. The
security appliance grants access to a particular user for a particular
session only if the attributes are matching all your criteria.
•
Match None—Creates a NOT relationship among the attributes. The
dynamic access policy specifies that none of the attributes of the user
need to match to be granted access to a session.
Select one of the following options if you defined Anti-Spyware as an
endpoint attribute:
•
Match Any—Creates an OR relationship among the attributes. Policies
matching any instance of your criteria are used to authorize users.
•
Match All—Creates an AND relationship among the attributes. Only
those attributes matching all your criteria are used to authorize users.
Select one of the following options if you defined Anti-Virus as an
endpoint attribute:
•
Match Any—Set to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
•
Match All—Set to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
User Guide for Cisco Security Manager 4.0.1
27-56
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Table 27-43
Add/Edit Dynamic Access Policy Dialog Box > Logical Operators Tab (Continued)
Element
Description
Application
Select one of the following options if you defined Application as an
endpoint attribute:
File
Policy
Personal Firewall
•
Match Any—Set to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
•
Match All—Set to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Select one of the following options if you defined File as an
endpoint attribute:
•
Match Any—Set to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
•
Match All—Set to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Select one of the following options if you defined Policy as an
endpoint attribute:
•
Match Any—Set to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
•
Match All—Set to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Personal firewall rules let you specify applications and ports for the firewall
to allow or block. Select one of the following options if you defined Personal
Firewall as an endpoint attribute:
•
Match Any—Set to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
•
Match All—Set to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-57
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Table 27-43
Add/Edit Dynamic Access Policy Dialog Box > Logical Operators Tab (Continued)
Element
Description
Process
Select one of the following options if you defined Process as an
endpoint attribute:
Registry
•
Match Any—Set to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
•
Match All—Set to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Registry key scans apply only to computers running Windows Microsoft
Windows operating systems. Basic Host Scan ignores registry key scans if
the computer is running Mac OS or Linux.
Select one of the following options if you defined Registry as an
endpoint attribute:
•
Match Any—Set to require that user authorization attributes match any
of the values in the Antivirus endpoint attributes you are configuring.
•
Match All—Set to require that user authorization attributes match all of
the values in the endpoint attributes you are configuring, as well as
satisfying the AAA attribute.
Advanced Expressions Tab
Use the Advanced Expressions tab of the Add/Edit Dynamic Access Policy dialog box to set additional
attributes for the dynamic access policy. You can configure multiple instances of each type of endpoint
attribute. Be aware that this is an advanced feature that requires knowledge of LUA (www.lua.org).
Note
For detailed information about advanced expressions, see About Advanced Expressions for AAA or
Endpoint Attributes and Examples of DAP Logical Expressions.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, page 27-35, then click the Advanced
Expressions tab.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
User Guide for Cisco Security Manager 4.0.1
27-58
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Dynamic Access Page (ASA)
Field Reference
Table 27-44
Add/Edit Dynamic Access Policy Dialog Box > Advanced Expressions Tab
Element
Description
Basic Expressions
This text box is populated with basic expressions based on the endpoint
and AAA attributes that you configured in the dynamic access policy.
Relationship Drop-down List Specify the relationship between the basic selection rules and the
logical expressions you enter on this tab, that is, whether the new
attributes add to or substitute for the AAA and endpoint attributes
already set. Select one of the following options:
•
Basic AND Advanced—Creates an AND relationship between the
basic and advanced expressions. Both the basic and advanced
expressions defined in the dynamic access policy are considered
while authenticating users.
By default, this option is selected.
Advanced Expressions
•
Basic OR Advanced—Creates an OR relationship between the
basic and advanced expressions. Users are granted access to a
session if either the basic or advanced expressions in the dynamic
access policy are matched with the user policy.
•
Basic Only—Only the basic expressions defined in the DAP entry
are used to determine whether the security appliance grants users
access to a particular session.
•
Advanced Only—Only the advanced expressions defined in the
DAP entry are used to authorize users for an SSL VPN session.
Enter one or more logical expressions to set AAA or endpoint attributes
other than what is possible in the AAA and Endpoint areas above.
Enter free-form LUA text that defines new AAA and/or endpoint
selection attributes. Security Manager does not validate text that you
enter here; it just copies this text to the dynamic access policy XML
file, and the security appliance processes it, discarding any expressions
it cannot parse.
Cisco Secure Desktop Manager Policy Editor Dialog Box
Using the Cisco Secure Desktop Manager (CSDM) Policy Editor dialog box, you can configure prelogin
policies, specify the checks to be performed between the time the user establishes a connection with the
security appliance and the time the user enters the login credentials, and configure host scans. For an
explanation of configuring CSD on an ASA device, see Configuring Cisco Secure Desktop Policies on
ASA Devices, page 26-26.
Note
The Cisco Secure Desktop Manager Policy Editor is an independent program. For information about
configuring CSD, and what CSD can do for you, see the materials available online at
http://www.cisco.com/en/US/products/ps6742/tsd_products_support_configure.html. Look specifically
for information on configuring prelogin policies and host scan. Select the configuration guide for the
CSD version you are configuring.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-59
Chapter 27
Remote Access VPN Policy Reference
Global Settings Page
Navigation Path
Open the Dynamic Access Page (ASA), page 27-33, then click Configure from the Cisco Secure
Desktop section (you must first specify a CSD package). The CSDM Policy Editor dialog box
is displayed.
Related Topics
•
Understanding DAP Attributes, page 26-22
•
Configuring DAP Attributes, page 26-25
•
Configuring Dynamic Access Policies, page 26-20
Global Settings Page
Use the Global Settings page to define global settings for IKE, IPsec, NAT, and fragmentation that apply
to devices in your remote access VPN.
Navigation Path
•
(Device View) Select Remote Access VPN > Global Settings from the Policy selector.
•
(Policy View) Select Remote Access VPN > Global Settings from the Policy Type selector. Select
an existing policy or create a new one.
Table 27-45
Global Settings Page
Element
Description
ISAKMP/IPsec Settings tab
Enables you to specify global settings for IKE and IPsec.
For a description of the elements on this tab, see ISAKMP/IPsec
Settings Tab, page 27-60.
NAT Settings tab
Enables you to specify global Network Address Translation (NAT)
settings to enable devices that use internal IP addresses to send and
receive data through the Internet.
For a description of the elements on this tab, see NAT Settings Tab,
page 27-63.
General Settings tab
Enables you to define fragmentation settings and other global settings
on devices in your remote access VPN.
For a description of the elements on this tab, see General Settings Tab,
page 27-64.
ISAKMP/IPsec Settings Tab
Use the ISAKMP/IPsec Settings tab of the VPN Global Settings page to specify global settings for IKE
and IPsec.
Navigation Path
Open the Global Settings Page, page 27-60, or click the ISAKMP/IPsec Settings tab from any other tab
in the VPN Global Settings page.
User Guide for Cisco Security Manager 4.0.1
27-60
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Global Settings Page
Related Topics
•
Global Settings Page, page 27-60
•
Understanding Remote Access VPN Global Settings, page 26-28
•
Configuring Remote Access VPN Global Settings, page 26-28
•
Understanding IKE, page 22-1
•
Understanding IPsec Tunnel Policies, page 22-5
•
Understanding ISAKMP/IPsec Settings, page 22-13
Field Reference
Table 27-46
Global Settings > ISAKMP/IPsec Settings Tab
Element
Description
ISAKMP Settings
Enable Keepalive
When selected, enables you to configure IKE keepalive as the default
failover and routing mechanism for your devices.
Interval (seconds)
The number of seconds that a device waits between sending IKE
keepalive packets. The default is 10 seconds.
Retry (seconds)
The number of seconds a device waits between attempts to establish an
IKE connection with the remote peer. The default is 2 seconds.
Periodic
Available only if Enable Keepalive is selected and supported on routers
running IOS version 12.3(7)T and later, except 7600 devices.
When selected, enables you to send dead-peer detection (DPD) keepalive
messages even if there is no outbound traffic to be sent. Usually, DPD
keepalive messages are sent between peer devices only when no
incoming traffic is received but outbound traffic needs to be sent.
For more information, see Understanding ISAKMP/IPsec Settings,
page 22-13.
Identity
During Phase I IKE negotiations, peers must identify themselves to
each other. Select one of the following:
•
Address—Use the IP address of the host exchanging ISAKMP
identity information.
•
Hostname—Use the fully-qualified domain name of the host
exchanging ISAKMP identity information.
•
Distinguished Name (IOS devices only)—Use a distinguished
name (DN) to identify a user group name.
•
Auto (ASA devices only)—Determine ISAKMP negotiation by
connection type; IP address for preshared key or certificate
distinguished name for certificate authentication.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-61
Chapter 27
Remote Access VPN Policy Reference
Global Settings Page
Table 27-46
Global Settings > ISAKMP/IPsec Settings Tab (Continued)
Element
Description
SA Requests System Limit
Supported on routers running Cisco IOS Release 12.3(8)T and later,
except 7600 routers.
The maximum number of SA requests allowed before IKE starts
rejecting them.
You can enter a value in the range of 0-99999.
Note
SA Requests
System Threshold
Make sure the value you enter equals or exceeds the number of
peers connected to the device.
Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
The percentage of system resources that can be used before IKE starts
rejecting new SA requests.
IPsec Settings
Enable Lifetime
Select to enable you to configure the global lifetime settings for the
crypto IPsec SAs on the devices in your remote access VPN.
Lifetime (secs)
The number of seconds a security association will exist before expiring.
The default is 3,600 seconds (1 hour).
Lifetime (kbytes)
The volume of traffic (in kilobytes) that can pass between IPsec peers
using a given security association before it expires. The default is
4,608,000 kilobytes.
Xauth Timeout (seconds)
Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
The number of seconds the device will wait for a system response to the
Xauth challenge.
When negotiating tunnel parameters for establishing IPsec tunnels in a
remote access configuration, Xauth adds another level of authentication
that identifies the user who requests the IPsec connection. Using the
Xauth feature, the client waits for a “username/password” challenge
after the IKE SA was established. When the end user responds to the
challenge, the response is forwarded to the IPsec peers for an additional
level of authentication.
Max Sessions
(ASA and PIX 7.0+ only.)
The maximum number of Security Associations (SAs) that can be
enabled simultaneously on the device. The maximum number differs
based on device model. For ASA devices, the limits are:
•
5505—10 sessions.
•
5510—250 sessions.
•
5520—750 sessions.
•
5540, 5550, 5580—5000 sessions.
•
5585—10000 sessions.
Enable IPsec via Sysopt (PIX Supported on ASA devices, and PIX Firewalls versions 6.3 or 7.0.
and ASA only)
When selected (the default), specifies that any packet that comes from
an IPsec tunnel is implicitly trusted (permitted).
User Guide for Cisco Security Manager 4.0.1
27-62
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Global Settings Page
NAT Settings Tab
Use the NAT Settings tab of the Global Settings page to define global Network Address Translation
(NAT) settings that enable devices that use internal IP addresses to send and receive data through
the Internet.
Navigation Path
Open the Global Settings Page, page 27-60, then click the NAT Settings tab.
Related Topics
•
Understanding NAT, page 22-13
•
Global Settings Page, page 27-60
•
Understanding Remote Access VPN Global Settings, page 26-28
•
Configuring Remote Access VPN Global Settings, page 26-28
Field Reference
Table 27-47
Global Settings > NAT Settings Tab
Element
Description
Enable Traversal Keepalive
When selected, enables you to configure NAT traversal keepalive on
a device.
NAT traversal keepalive is used for the transmission of keepalive
messages when there is a device (middle device) located between a
VPN-connected hub and spoke, and that device performs NAT on the
IPsec flow.
Note
On Cisco IOS routers, NAT traversal is enabled by default. If
you want to disable the NAT traversal feature, you must do this
manually on the device or using a FlexConfig (see Chapter 7,
“Managing FlexConfigs”).
For more information, see Understanding NAT, page 22-13.
Interval
Available when NAT Traversal Keepalive is enabled.
The interval, in seconds, between the keepalive signals sent between
the spoke and the middle device to indicate that the session is active.
The NAT keepalive value can be from 5 to 3600 seconds. The default is
10 seconds.
Enable Traversal over TCP
Supported on PIX 7.0 and ASA devices.
When selected, encapsulates both the IKE and IPsec protocols within a
TCP packet and enables secure tunneling through both NAT and PAT
devices and firewalls.
TCP Ports
Available only when Enable Traversal over TCP is selected.
The TCP ports for which you want to enable NAT traversal. You must
configure TCP ports on the remote clients and on the VPN device. The
client configuration must include at least one of the ports you set for the
security appliance. You can enter up to 10 ports.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-63
Chapter 27
Remote Access VPN Policy Reference
Global Settings Page
General Settings Tab
Use the General Settings tab of the Global Settings page to define fragmentation settings and other
global settings on devices in your remote access VPN.
Navigation Path
Open the Global Settings Page, page 27-60, then click the General Settings tab.
Related Topics
•
Understanding Fragmentation, page 22-15
•
Understanding Remote Access VPN Global Settings, page 26-28
•
Configuring Remote Access VPN Global Settings, page 26-28
•
Global Settings Page, page 27-60
Field Reference
Table 27-48
Global Settings > General Settings Tab
Element
Description
Fragmentation Settings
Fragmentation mode
Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
Fragmentation minimizes packet loss in a VPN tunnel when packets are
transmitted over a physical interface that cannot support the original
size of the packet.
Select the required fragmentation mode option from the list:
•
No Fragmentation—Select if you do not want to fragment prior to
IPsec encapsulation.
•
End to End MTU Discovery—Select to use ICMP messages for
the discovery of MTU.
End-to-end MTU discovery uses Internet Control Message
Protocol (ICMP) messages to determine the maximum MTU that a
host can use to send a packet through the VPN tunnel without
causing fragmentation.
•
Local MTU Size
Local MTU Handling—Select to set the MTU locally on the
devices. This option is typically used when ICMP is blocked.
Supported on Cisco IOS routers and Catalyst 6500 /7600 devices, when
Local MTU Handling is the selected fragmentation mode option.
Note
The permitted MTU size is between 68 and 65535 bytes
depending on the VPN interface.
User Guide for Cisco Security Manager 4.0.1
27-64
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Global Settings Page
Table 27-48
Global Settings > General Settings Tab (Continued)
Element
Description
DF Bit
Supported on Cisco IOS routers, Catalyst 6500 /7600 devices, PIX 7.0
and ASA devices.
A Don’t Fragment (DF) bit is a bit in an IP header that determines
whether a device is allowed to fragment a packet.
Select the required setting for the DF bit:
Enable Fragmentation
Before Encryption
•
Copy—To copy the DF bit from the encapsulated header in the
current packet to all the device’s packets. If the packet’s DF bit is
set to fragment, all packets will be fragmented.
•
Set—To set the DF bit in the packet you are sending. A packet that
exceeds the MTU will be dropped and an ICMP message sent to the
packet’s initiator.
•
Clear—To cause the device to fragment packets regardless of the
original DF bit setting. If ICMP is blocked, MTU discovery fails
and packets are fragmented only after encryption.
Supported on Cisco IOS routers, Catalyst 6500 /7600 devices, PIX 7.0
and ASA devices.
When selected, enables fragmentation before encryption, if the
expected packet size exceeds the MTU.
Lookahead Fragmentation (LAF) is used before encryption takes place
to calculate the packet size that would result after encryption,
depending on the transform sets configured on the IPsec SA. If the
packet size exceeds the specified MTU, the packet will be fragmented
before encryption.
Enable Notification
on Disconnection
Supported on PIX 7.0 and ASA devices.
When selected, enables the device to notify qualified peers of sessions
that are about to be disconnected. The peer receiving the alert decodes
the reason and displays it in the event log or in a pop-up window. This
feature is disabled by default.
IPsec sessions may be dropped for several reasons, such as, a security
appliance shutdown or reboot, session idle timeout, maximum
connection time exceeded, or administrator cut-off.
Enable Spoke-to-Spoke
Connectivity through
the Hub
Supported on PIX 7.0 and ASA devices.
Enable Default Route
Supported on Cisco IOS routers and Catalyst 6500 /7600 devices.
When selected, enables direct communication between spokes in
a hub-and-spoke VPN topology, in which the hub is an ASA or
PIX 7.0 device.
When selected, the device uses the configured external interface as the
default outbound route for all incoming traffic.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-65
Chapter 27
Remote Access VPN Policy Reference
Group Policies Page
Group Policies Page
In the Group Policies page, you can view the user group policies defined for your ASA SSL VPN
connection profile. From this page, you can specify new ASA user groups and edit existing ones.
Tip
Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic
Access policy, an ASA device checks for Group policies that specify the setting.
Each row in the table represents an ASA group policy object, displaying the name of the policy object
assigned to the SSL VPN connection profile, whether it is stored on the ASA device itself (Internal) or
on a AAA server (External), and whether the group is for IPSec, SSL, or both types of VPN. For external
groups, the protocol is unknown and listed as N/A.
•
To add an ASA group policy object, click the Add Row button. This opens an object selector, from
which you can select an existing policy object or click the Create button to create a new object.
•
To edit an object, select it and click the Edit Row button to open the ASA Group Policies Dialog
Box, page 28-1.
•
To delete an object from the policy, select it and click the Delete Row button. The associated policy
objects are not deleted, they are only removed from this policy.
Navigation Path
•
(Device view) Select an ASA device, then select Remote Access VPN > Group Policies from the
Policy selector.
•
(Policy view) Select Remote Access VPN > Group Policies (ASA) from the Policy selector. Select
an existing policy or create a new one.
Related Topics
•
Creating Group Policies (ASA), page 26-31
Public Key Infrastructure Page
Use the Public Key Infrastructure page to select the CA servers to use for creating a Public Key
Infrastructure (PKI) policy for generating enrollment requests for CA certificates.
Note
To save the RSA key pairs and the CA certificates permanently to flash memory on a PIX Firewall
version 6.3 between reloads, you must configure the ca save all command. You can do this manually on
the device or by using a FlexConfig (see Chapter 7, “Managing FlexConfigs”).
Navigation Path
•
(Device View) Select Remote Access VPN > Public Key Infrastructure from the Policy selector.
•
(Policy View) Select Remote Access VPN > Public Key Infrastructure from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
•
Understanding Public Key Infrastructure Policies, page 22-26
•
Configuring Public Key Infrastructure Policies, page 26-33
•
Configuring Public Key Infrastructure Policies, page 22-31
User Guide for Cisco Security Manager 4.0.1
27-66
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Certificate to Connection Profile Maps > Policies Page
Field Reference
Table 27-49
Public Key Infrastructure Page
Element
Description
Available CA Servers
Lists the CA servers available for selection.
Select the required CA servers and click >>.
CA servers are defined as PKI enrollments objects that contain server
information and enrollment parameters required for creating enrollment
requests for CA certificates.
If the required CA server is not included in the list, click Create to open the
PKI Enrollment Dialog Box, page 28-33 that enables you to create a PKI
enrollment object. You can also edit the properties of a CA server by
selecting it and clicking Edit.
Note
Selected CA Servers
When creating or editing a PKI enrollment object, you must
configure each remote component (spoke) with the name of the user
group to which it connects. You specify this information in the
Organization Unit (OU) field in the Certificate Subject Name tab of
the PKI Enrollment Editor dialog box. In addition, the certificate
issued to the client should have OU as the name of the user group.
For more information, see PKI Enrollment Dialog Box—Certificate
Subject Name Tab, page 28-40.
The selected CA servers.
To remove a CA server from this list, select it and click <<. You can select
more than one CA server at a time.
Certificate to Connection Profile Maps > Policies Page
Use the Policies page to configure the matching policies for any remote client connecting to the device.
Navigation Path
•
(Device View) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate
to Connection Profile Maps > Policies from the Policy selector.
•
(Policy View) Select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps
> Policies from the Policy Type selector. Select an existing policy or create a new one.
Related Topics
•
Understanding Certificate to Connection Profile Map Policies (ASA), page 26-34
•
Configuring Certificate to Connection Profile Map Policies (ASA), page 26-35
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-67
Chapter 27
Remote Access VPN Policy Reference
Certificate to Connection Profile Maps > Rules Page
Field Reference
Table 27-50
Certificate to Connection Profile Maps > Policies Page
Element
Description
Use Configured Rules to Match a When selected, the server uses the configured rules to establish
Certificate to a Group
authentication and determine which tunnel group to map the client to.
Use Certificate Organization
Unit field to Determine
the Group
When selected (default), the server uses the organizational unit
(OU) field to establish authentication and determine which tunnel
group to map the client to.
Use IKE Identity to Determine
the Group
When selected (default), the server uses the IKE identity to establish
authentication and determine which tunnel group to map the client to.
User Peer IP Address to
Determine the Group
When selected (the default), the server uses the peer IP address to
establish authentication and determine which tunnel group to map
the client to.
Certificate to Connection Profile Maps > Rules Page
Use the Rules page to configure the matching rules and parameters for any remote client connecting to
the device. These rules are used only if you select Use Configured Rules to Match a Certificate to a
Group in the Certificate to Connection Profile Maps > Policies policy (see Certificate to Connection
Profile Maps > Policies Page, page 27-67).
Note
A connection profile must exist in the configuration before you can create and map a matching rule to
it. If you unassign a connection profile after creating a matching rule, the rules that are mapped to the
connection profile are unassigned. See Configuring Connection Profiles (ASA), page 26-18.
Navigation Path
(Device View only) Select an ASA device; then select Remote Access VPN > IPSec VPN > Certificate
to Connection Profile Maps > Policies from the Policy selector.
Related Topics
•
Understanding Certificate to Connection Profile Map Rules (ASA), page 26-35
•
Configuring Certificate to Connection Profile Map Rules (ASA), page 26-36
User Guide for Cisco Security Manager 4.0.1
27-68
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
Certificate to Connection Profile Maps > Rules Page
Field Reference
Table 27-51
Certificate to Connection Profile Maps > Rules Page
Element
Description
Maps table
The connection profile maps for which connection rules are defined. Each
row is a profile map, which includes a map name, the name of the connection
profile that is being mapped, and the priority of the map (lower numbers have
higher priority).
Rules table
•
To configure rules for this map, select it and then use the rules table to
create, edit, and delete the rules.
•
To add a map, click the Add Row button and fill in the Map Rule Dialog
Box (Upper Table), page 27-69.
•
To edit map properties (not rules), select it and click the Edit Row button.
•
To delete an entire map, select it and click the Delete Row button.
The rules for the map selected in the upper table. You must ensure that the
map is actually selected in the upper table: the group title above the rules
table should say “Details for (Connection Profile Name).”
When you select a map, the table shows all rules configured for the map,
including the field (subject or issuer), certificate component, matching
operator, and the value that the rule is looking for. The remote user must match
all configured rules a map for the device to use the mapped connection profile.
Default
Connection Profile
•
To add a rule, click the Add Row button and fill in the Map Rule Dialog
Box (Lower Table), page 27-70.
•
To edit a rule, select it and click the Edit Row button.
•
To delete a rule, select it and click the Delete Row button.
Select the default connection profile to be used if no matching rules are found.
Map Rule Dialog Box (Upper Table)
Use the Map Rule dialog box, when opened for the maps table in the upper pane of the Certificate to
Connection Profile Maps > Rules policy, to configure maps for which you can then configure rules in
the lower pane of the Rules policy.
Navigation Path
On the Certificate to Connection Profile Maps > Rules Page, page 27-68, click Add Row in the upper
pane or select a row in the upper table and click Edit Row.
Related Topics
•
Certificate to Connection Profile Maps > Rules Page, page 27-68
•
Map Rule Dialog Box (Lower Table), page 27-70
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-69
Chapter 27
Remote Access VPN Policy Reference
Certificate to Connection Profile Maps > Rules Page
Field Reference
Table 27-52
Map Rule Dialog Box (Upper Pane)
Element
Description
Connection Profile
Select the connection profile for which you are creating matching rules.
Clients attempting to connect to this connection profile must satisfy the
associated matching rule conditions to connect to the device.
Priority
The priority number of the matching rule. A lower number has a higher
priority. For example, a matching rule with a priority number of 2, has a
higher priority than a matching rule with a priority number of 5.
If you create multiple maps, they are processed in priority order, and the first
matching rule determines to which profile the user is mapped.
Map Name
The name of the connection profile map.
Map Rule Dialog Box (Lower Table)
Use the Map Rule dialog box, when opened for the rules table in the lower pane of the Certificate to
Connection Profile Maps > Rules policy, to configure rules for the map selected in the maps table (upper
pane of the Rules policy).
Navigation Path
On the Certificate to Connection Profile Maps > Rules Page, page 27-68, click Add Row in the lower
pane or select a row in the lower table and click Edit Row.
Related Topics
•
Certificate to Connection Profile Maps > Rules Page, page 27-68
•
Map Rule Dialog Box (Upper Table), page 27-69
Field Reference
Table 27-53
Map Rule Dialog Box (Lower Pane)
Element
Description
Field
Select the field for the matching rule according to the Subject or the Issuer
of the client certificate.
Component
Select the component of the client certificate to use for the matching rule.
User Guide for Cisco Security Manager 4.0.1
27-70
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
High Availability Page
Table 27-53
Map Rule Dialog Box (Lower Pane) (Continued)
Element
Description
Operator
Select the operator for the matching rule as follows:
Value
•
Equals—The certificate component must match the entered value. If
they do not match exactly, the connection is denied.
•
Contains—The certificate component must contain the entered value. If
the component does not contain the value, the connection is denied.
•
Does Not Equal—The certificate component cannot equal the entered
value. For example, for a selected certificate component of Country, and
an entered value of USA, if the client county value equals USA, then the
connection is denied.
•
Does Not Contain—The certificate component cannot contain the
entered value. For example, for a selected certificate component of
Country, and an entered value of USA, if the client county value
contains USA, the connection is denied.
The value of the matching rule. The value entered is associated with the
selected component and operator.
High Availability Page
Use the High Availability page to configure a High Availability (HA) policy on a Cisco IOS router or
Cisco Catalyst switch in a remote access VPN.
Navigation Path
•
(Device View) Select an IOS or Catalyst device; then select Remote Access VPN > IPSec VPN >
High Availability from the Policy selector.
•
(Policy View) Select Remote Access VPN > IPSec VPN > High Availability from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
•
Understanding High Availability in Remote Access VPNs (IOS), page 26-41
•
Configuring a High Availability Policy, page 26-41
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-71
Chapter 27
Remote Access VPN Policy Reference
High Availability Page
Field Reference
Table 27-54
High Availability Page
Element
Description
Inside Virtual IP
The IP address that will be shared by the hubs in the HA group and will
represent the inside interface of the HA group. The virtual IP address must
be on the same subnet as the inside interfaces of the hubs in the HA group.
Note
You must provide an inside virtual IP that matches the subnet of one
of the interfaces on the device, in addition to a VPN virtual IP that
matches the subnet of one of the device’s interfaces and is configured
with an IPsec proposal; otherwise an error is displayed.
Note
If there is an existing standby group on the device, make sure that the
IP address you provide is different from the virtual IP address
already configured on the device.
You can choose the required IP address by clicking Select. The
Network/Hosts selector opens, in which you can select a network from which
the IP address will be allocated.
Inside Mask
The subnet mask for the inside virtual IP address.
VPN Virtual IP
The IP address that will be shared by the hubs in the HA group and will
represent the VPN interface of the HA group. This IP address will serve as
the hub endpoint of the VPN tunnel.
You can choose the required IP address by clicking Select. The
Network/Hosts selector opens, in which you can select a network from which
the IP address will be allocated.
Note
If there is an existing standby group on the device, make sure that the
IP address you provide is different from the virtual IP address
already configured on the device.
VPN Mask
The subnet mask for the VPN virtual IP address.
Hello Interval
The duration in seconds (within the range of 1-254) between each hello
message sent by a hub to the other hubs in the group to indicate status and
priority. The default is 5 seconds.
Hold Time
The duration in seconds (within the range of 2-255) that a standby hub will
wait to receive a hello message from the active hub before concluding that
the hub is down. The default is 15 seconds.
Standby Group
Number (Inside)
The standby number of the inside hub interface that matches the internal
virtual IP subnet for the hubs in the HA group. The number must be within
the range of 0-255. The default is 1.
Standby Group
Number (Outside)
The standby number of the outside hub interface that matches the external
virtual IP subnet for the hubs in the HA group. The number must be within
the range of 0-255. The default is 2.
Note
The outside standby group number must be different to the inside
standby group number.
User Guide for Cisco Security Manager 4.0.1
27-72
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
IKE Proposal Page
Table 27-54
High Availability Page (Continued)
Element
Description
Failover Server
The IP address of the inside interface of the remote peer device.
You can click Select to open the Network/Hosts Selector, from which you can
select a host from which the IP address of the remote peer will be allocated.
Enable Stateful Failover When selected, enables SSO for stateful failover.
Note
In an Easy VPN topology, this check box appears selected and
disabled, as stateful failover must always be configured.
You can only configure stateful failover on an HA group that contains two
hubs that are Cisco IOS routers. This check box is disabled if the HA group
contains more than two hubs.
Note
When deselected in a Regular IPsec topology, stateless failover is
configured on the HA group. Stateless failover will also be
configured if the HA group contains more than two hubs. Stateless
failover can be configured on Cisco IOS routers or Catalyst
6500/7600 devices.
IKE Proposal Page
Use the IKE Proposal page to select the IKE proposals to use for your remote access VPN server.
Navigation Path
•
(Device view) Select Remote Access VPN > IKE Proposal from the Policy selector.
•
(Policy view) Select Remote Access VPN > IKE Proposal from the Policy type selector and select
an existing policy or create a new one.
Related Topics
•
Remote Access VPN Configuration Wizard, page 27-1
•
Understanding IKE, page 22-1
•
Understanding IKE Proposals in Remote Access VPNs, page 26-37
•
Configuring IKE Proposals on a Remote Access VPN Server, page 26-37
•
Deciding Which Encryption Algorithm to Use, page 22-2
•
Deciding Which Hash Algorithm to Use, page 22-2
•
Deciding Which Diffie-Hellman Group to Use, page 22-3
•
Deciding Which Authentication Method to Use, page 22-3
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-73
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
Field Reference
Table 27-55
IKE Proposal Page
Element
Description
Available IKE Proposals
Lists the predefined IKE proposals available for selection.
Select the required IKE proposals and click >>.
IKE proposals are predefined objects. If the required IKE proposal is
not included in the list, click Create to open the Add or Edit IKE
Proposal Dialog Box, page 28-26 that enables you to create or edit an
IKE proposal object.
Selected IKE Proposals
Lists the selected IKE proposals.
To remove an IKE proposal from this list, select it and click <<.
To modify the properties of an IKE proposal, select it and click Edit.
IPsec Proposal Page
An IPsec proposal defines the external interface through which remote access clients connect to the
server, and the encryption and authentication algorithms used to protect the data in the VPN tunnel.
Use the IPsec Proposal page to create or edit IPsec policy definitions for your remote access VPN. For
more information on IPsec proposals, see Understanding IPsec Tunnel Policies, page 22-5 and About
Crypto Maps, page 22-6.
Navigation Path
•
(Device View) Select Remote Access VPN > IPSec VPN > IPsec Proposal from the Policy selector.
•
(Policy View) Select Remote Access VPN > IPSec VPN > IPsec Proposal from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
•
Understanding IPsec Proposals in Remote Access VPNs, page 26-38
•
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
•
Defining Accounts and Credential Policies, page 53-14
•
Remote Access VPN Configuration Wizard, page 27-1
•
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices), page 27-75
•
IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page 27-77
User Guide for Cisco Security Manager 4.0.1
27-74
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
Field Reference
Table 27-56
IPsec Proposal Page
Element
Description
Endpoint
The external interface (or inside VLAN for a Catalyst 6500/7600 device)
through which remote access clients will connect to the server.
Transform Sets
The transform set(s) selected for the policy (the default is tunnel_3des_sha).
Transform sets specify which authentication and encryption algorithms will
be used to secure the traffic in the tunnel.
RRI
Shows whether Reverse Route Injection (RRI) is enabled or disabled on the
crypto map for the support of VPN clients.
For more information, see About Reverse Route Injection, page 22-8.
AAA Authorization
If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows the
name of the server groups selected to perform AAA authorization.
AAA Authentication
If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows the
name of the server groups selected to perform AAA authentication.
VRF
If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows
whether VRF is enabled or disabled.
DVTI
If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows
whether DVTI is enabled or disabled.
Create button
Click to open the IPsec Proposal Editor dialog box to create an IPsec proposal.
If the device is a PIX Firewall or ASA device, see IPsec Proposal Editor
Dialog Box (for PIX and ASA Devices), page 27-75.
If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec Proposal
Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices),
page 27-77.
Edit button
Select the row of a proposal from the table, then click to open the IPsec
Proposal Editor dialog box to edit the selected proposal.
If the device is a PIX Firewall or ASA device, see IPsec Proposal Editor
Dialog Box (for PIX and ASA Devices), page 27-75.
If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec Proposal
Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices),
page 27-77.
Delete button
Select the rows of one or more proposals, then click to delete.
IPsec Proposal Editor Dialog Box (for PIX and ASA Devices)
Use the IPsec Proposal Editor to create or edit an IPsec proposal for a device in your remote access VPN.
The elements in this dialog box differ according to the selected device. Table 27-57 on page 27-76
describes the elements in the IPsec Proposal Editor dialog box when a PIX 7.0 or ASA device is selected.
Note
For a description of the elements in the dialog box when a Cisco IOS router or Catalyst 6500/7600 is
selected, see Table 27-58 on page 27-78.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-75
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
Navigation Path
Open the IPsec Proposal Page, page 27-74, then click Create, or select a proposal from the list and
click Edit.
Related Topics
•
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
•
Understanding IPsec Tunnel Policies, page 22-5
•
Creating Interface Role Objects, page 6-56
•
Creating AAA Server Group Objects, page 6-37
Field Reference
Table 27-57
IPsec Proposal Editor (for PIX and ASA Devices)
Element
Description
External Interface
The external interface (endpoint) through which remote access clients
connect to the server.
An endpoint can be an interface or a set of interfaces that are defined by a
particular interface role. Click Select to open a dialog box that lists all
available interfaces and sets of interfaces defined by interface roles, and
enables you to create interface role objects.
Transform Sets
The transform set or sets to use for your tunnel policy (the default is
tunnel_3des_sha).
Transform sets specify which authentication and encryption algorithms will
be used to secure the traffic in the tunnel.
A default transform set is displayed. If you want to use a different transform
set or select additional transform sets, click Select to open a dialog box that
lists all available transform sets and enables you to create transform set
objects. For more information, see Add or Edit IPSec Transform Set Dialog
Box, page 28-28.
If more than one of your selected transform sets is supported by both peers,
the transform set that provides the highest security will be used.
Note
You can select up to six transform sets.
For more information, see About Transform Sets, page 22-7.
User Guide for Cisco Security Manager 4.0.1
27-76
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
Table 27-57
IPsec Proposal Editor (for PIX and ASA Devices) (Continued)
Element
Description
Reverse Route Injection Note
Available only for ASA devices.
Select the required option to configure Reverse Route Injection (RRI) on the
crypto map in your tunnel policy:
•
None—To disable the RRI configuration on the crypto map.
•
Standard—This is the default. It creates routes based on the destination
information defined in the crypto map access control list (ACL).
For more information, see About Reverse Route Injection, page 22-8.
Enable Network
Address Translation
Traversal
Note
Available only for ASA devices.
When selected (the default), enables you to configure NAT traversal on the
device.
You use NAT traversal when a device (referred to as the middle device) is
located between a VPN-connected hub and spoke, that performs NAT on the
IPsec flow.
For more information, see Understanding NAT, page 22-13.
IPsec Proposal Editor Dialog Box (for IOS Routers and
Catalyst 6500/7600 Devices)
Use the IPsec Proposal Editor to create or edit an IPsec proposal for a device in your remote access VPN.
If you select an IOS router, the IPsec Proposal Editor dialog box displays two tabs—General and
Dynamic VTI/VRF Aware IPsec. If you select a Catalyst 6500/7600, the FWSM Settings tab is
also displayed.
Click the appropriate tab to specify general IPsec settings, configure Dynamic VTI or VRF Aware IPsec,
or both, on the selected device, or configure FWSM on a Catalyst 6500/7600 device.
The elements in this dialog box differ according to the selected device. Table 27-58 on page 27-78
describes the elements on the General tab in the IPsec Proposal Editor dialog box when a Cisco IOS
router or Catalyst 6500/7600 is selected.
Note
For a description of the elements in the dialog box when a PIX 7.0+ or ASA device is selected is selected,
see IPsec Proposal Editor Dialog Box (for PIX and ASA Devices), page 27-75.
Navigation Path
Open the IPsec Proposal Page, page 27-74, then click Create, or select a proposal from the list and click
Edit. The IPsec Proposal Editor dialog box opens, displaying the General tab.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-77
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
Related Topics
•
VPNSM/VPN SPA Settings Dialog Box, page 27-80
•
Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor), page 27-81
•
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
•
Creating Interface Role Objects, page 6-56
•
Creating AAA Server Group Objects, page 6-37
Field Reference
Table 27-58
IPsec Proposal Editor > General Tab
Element
Description
External Interface
Note
Available only if the selected device is an IOS router.
The external interface through which remote access clients will connect to
the server.
An external interface can be defined by a specific interface role. Interface
roles are predefined objects. Click Select to open a dialog box that lists all
available interfaces and sets of interfaces defined by interface roles, and
enables you to create interface role objects.
Inside VLAN
Note
Available only if the selected device is a Catalyst 6500/7600.
The inside VLAN that serves as the inside interface to the VPN Services
Module (VPNSM) or VPN SPA. Click Select to open a dialog box in which
you define the settings that enable you to configure a VPN Services Module
(VPNSM) external interface or a VPN SPA blade on the Catalyst 6500/7600
device. See VPNSM/VPN SPA Settings Dialog Box, page 27-80.
For information about configuring a VPNSM, see Configuring VPNSM or
VPN SPA/VSPA Endpoint Settings, page 21-38.
For information about configuring a VPN SPA, see Configuring VPNSM or
VPN SPA/VSPA Endpoint Settings, page 21-38.
Transform Sets
The transform set or sets to use for your tunnel policy. Transform sets specify
which authentication and encryption algorithms are used to secure the traffic
in the tunnel.
A default transform set is displayed. If you want to use a different transform
set or select additional transform sets, click Select to open a dialog box that
lists all available transform sets and enables you to create transform set
objects. For more information, see Add or Edit IPSec Transform Set Dialog
Box, page 28-28.
If more than one of your selected transform sets is supported by both peers,
the transform set that provides the highest security is used.
Note
You can select up to six transform sets.
For more information, see About Transform Sets, page 22-7.
User Guide for Cisco Security Manager 4.0.1
27-78
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
Table 27-58
IPsec Proposal Editor > General Tab (Continued)
Element
Description
Reverse Route Injection Select one of the following options to configure Reverse Route Injection
(RRI) on the crypto map:
•
None—To disable the configuration of RRI on the crypto map.
•
Standard—The default. It creates routes according to the destination
information defined in the crypto map access control list (ACL).
•
Remote Peer—To create two routes, one for the remote endpoint and
one for route recursion to the remote endpoint through the interface to
which the crypto map is applied.
•
Remote Peer IP—To specify an interface or address as the explicit next
hop to the remote VPN device. Then click Select to open the
Network/Hosts Selector, from which you can select the IP address of the
remote peer to use as the next hop.
Note
You can select the Allow Value Override per Device check box to
override the default route, if required.
For more information, see About Reverse Route Injection, page 22-8.
Group Policy
Lookup/AAA
Authorization Method
The AAA authorization method list that defines the order in which the group
policies are searched. Group policies can be configured on the local server
or on an external AAA server.
Note
The default is LOCAL.
Click Select to open a dialog box that lists all available AAA server groups
and enables you to create AAA server group objects.
User Authentication
(Xauth)/AAA
Authentication Method
The AAA or Xauth user authentication method that defines the order in
which user accounts are searched.
Note
The default authentication method is LOCAL.
Xauth allows all Cisco IOS software AAA authentication methods to
perform user authentication in a separate phase after the IKE authentication
phase 1 exchange.
For more information about defining user accounts, see Defining Accounts
and Credential Policies, page 53-14.
Click Select to open a dialog box that lists all available AAA server groups
and enables you to create AAA server group objects.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-79
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
VPNSM/VPN SPA Settings Dialog Box
Note
This dialog box is available only if the selected device is a Catalyst 6500/7600.
Use the VPNSM/VPN SPA Settings dialog box to specify the settings for configuring a VPN Services
Module (VPNSM) or a VPN Shared Port Adapter (VPN SPA) on a Catalyst 6500/7600 device.
Note
Before you define the VPNSM or VPN SPA settings, you must import your Catalyst 6500/7600 device
to the Security Manager inventory and discover its interfaces. For more information, see Configuring
VPNSM or VPN SPA/VSPA Endpoint Settings, page 21-38.
Before you configure VPNSM or VPN SPA with VRF-Aware IPsec on a device, verify that an IPsec
proposal with VRF-Aware IPsec and an IPsec proposal without VRF-Aware IPsec were not configured
on the device.
For more information about VPNSM or VPNSPA/VSPA, see Configuring VPNSM or VPN SPA/VSPA
Endpoint Settings, page 21-38.
Navigation Path
In the General tab of the IPsec Proposal Editor Dialog Box (for IOS Routers and
Catalyst 6500/7600 Devices), page 27-77, click Select next to the Inside VLAN field.
Related Topics
•
IPsec Proposal Page, page 27-74
•
IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page 27-77
•
Creating Interface Role Objects, page 6-56
Field Reference
Table 27-59
VPNSM/VPN SPA Settings Dialog Box
Element
Description
Inside VLAN
The inside VLAN that serves as the inside interface to the VPNSM or VPN
SPA, and to which the required crypto maps will be applied.
If required, click Select to open a dialog box that lists all available interfaces
and sets of interfaces defined by interface roles, from which you can make
your selection, or create interface role objects.
Slot
From the list of available slots, select the VPNSM blade slot number to
which the inside VLAN interface is connected or the number of the slot in
which the VPN SPA blade is inserted.
Subslot
The number of the subslot (0 or 1) on which the VPN SPA blade is installed.
Note
If you are configuring a VPNSM, select the blank option.
User Guide for Cisco Security Manager 4.0.1
27-80
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
Table 27-59
VPNSM/VPN SPA Settings Dialog Box (Continued)
Element
Description
External Port
The external port or VLAN that connects to the inside VLAN.
Note
If VRF-Aware IPsec is configured on the device, the external port or
VLAN must have an IP address. If VRF-Aware IPsec is not
configured, the external port or VLAN must not have an IP address.
Click Select to open a dialog box that lists all available interfaces and sets of
interfaces defined by interface roles, from which you can make your
selection, or create interface role objects.
Note
Enable Failover Blade
You must specify an interface or interface role that differs from the
one specified for the inside VLAN.
When selected, enables you to configure a failover VPNSM or VPN SPA
blade for intrachassis high availability.
Note
A VPNSM blade and VPN SPA blade cannot be used on the same
device as primary and failover blades.
Failover Slot
From the list of available slots, select the VPNSM blade slot number that
serves as the failover blade, or the number of the slot in which the failover
VPN SPA blade is inserted.
Failover Subslot
Select the number of the subslot (0 or 1) on which the failover VPN SPA
blade is actually installed.
Note
If you are configuring a VPNSM, select the blank option.
Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor)
Note
The Dynamic VTI/VRF Aware IPsec tab is available only when the selected device is a Cisco IOS router
or Catalyst 6500/7600.
Use the Dynamic VTI/VRF Aware IPsec tab of the IPsec Proposal Editor to configure VRF Aware IPsec
settings (on a Cisco IOS router or Catalyst 6500/7600 device), configure a dynamic virtual interface on
a Cisco IOS router, or do both, in your remote access VPN.
For more information, see:
•
Understanding VRF-Aware IPsec, page 21-13
•
Understanding IPsec Proposals in Remote Access VPNs, page 26-38
Navigation Path
In the IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices), page 27-77,
click the Dynamic VTI/VRF Aware IPsec tab.
Related Topics
•
IPsec Proposal Page, page 27-74
•
Configuring an IPsec Proposal on a Remote Access VPN Server, page 26-39
•
Understanding IPsec Tunnel Policies, page 22-5
•
Creating Interface Role Objects, page 6-56
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-81
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
Field Reference
Table 27-60
IPsec Proposal Editor > Dynamic VTI/VRF Aware IPsec Tab
Element
Description
Enable Dynamic VTI
When selected, enables Security Manager to implicitly create a dynamic
virtual template interface on an IOS router.
Note
Dynamic VTI can be configured only on IOS routers running Cisco
IOS Release 12.4(2)T and later, except 7600 devices. If the device
does not support Dynamic VTI, an error message is displayed.
For more information, see PVC Dialog Box—QoS Tab, page 52-60.
Enable VRF Settings
When selected, enables you to configure VRF settings on the device for the
selected hub-and-spoke topology.
Note
User Group
To remove VRF settings that were defined for the VPN topology,
deselect this check box.
When you configure a remote access VPN server, remote clients must have
the same group name as the user group object configured on the VPN server
so that they can connect to the device.
Enter the name of the user group policy object associated with the device, or
click Select to select it from a list. You can also create new objects or edit
existing ones from the selection list.
CA Server
Select the Certification Authority (CA) server to use for managing certificate
requests for the device.
If the required CA server is not included in the list, click Select to open a
dialog box that lists all available CA servers and enables you to create a PKI
enrollment object. For more information, see PKI Enrollment Dialog Box,
page 28-33.
For more information about IPsec configuration with CA servers, see
Understanding Public Key Infrastructure Policies, page 22-26.
Virtual Template IP
Type
Available if you selected the Enable Dynamic VTI check box.
Specify the virtual template interface to use by clicking one of the following
radio buttons:
•
IP—To use an IP address as the virtual template interface. Then specify
the private IP address in the IP field.
If required, click Select to open the Network/Hosts selector in which
you can select a host to be used as the IP address.
•
Use Loopback Interface—To use the IP address taken from an existing
loopback interface as the virtual template interface. Then, in the Role
field, enter the interface or click Select to select it from the list of
interface roles.
Note
A virtual template IP address is configured only on a server in a
remote access VPN.
User Guide for Cisco Security Manager 4.0.1
27-82
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
IPsec Proposal Page
Table 27-60
IPsec Proposal Editor > Dynamic VTI/VRF Aware IPsec Tab (Continued)
Element
Description
VRF Solution
Available if you selected the Enable VRF Settings check box.
Click one of the following radio buttons to configure the required
VRF solution:
•
1-Box (IPsec Aggregator + MPLS PE)—One device serves as the
Provider Edge (PE) router that does the MPLS tagging of the packets in
addition to IPsec encryption and decryption from the Customer Edge
(CE) devices. For more information, see VRF-Aware IPsec One-Box
Solution, page 21-13.
•
2-Box (IPsec Aggregator Only)—The PE device does only the MPLS
tagging, while the IPsec Aggregator device does the IPsec encryption
and decryption from the CEs. For more information, see VRF-Aware
IPsec Two-Box Solution, page 21-14.
VRF Name
The name of the VRF routing table on the IPsec Aggregator. The VRF name
is case-sensitive.
Route Distinguisher
The unique identifier of the VRF routing table on the IPsec Aggregator.
This unique route distinguisher maintains routing separation for each VPN
across the MPLS core to the other PE routers.
The identifier can be in either of the following formats:
•
IP address:X (where X is in the range of 0-999999999).
•
N:X (where N is in the range of 0-65535, and X is in the range of
0-999999999).
Note
Interface Towards
Provider Edge
You cannot override the RD identifier after deploying the VRF
configuration to your device. To modify the RD identifier after
deployment, you must manually remove it through the device CLI
and then deploy again.
Available only if the 2-Box radio button is selected.
The VRF forwarding interface on the IPsec Aggregator towards the
PE device.
Note
If the IPsec Aggregator (hub) is a Catalyst VPN service module,
you must specify a VLAN.
Interfaces and VLANs are predefined interface role objects. If required,
click Select to open a dialog box that lists all available interfaces and sets of
interfaces defined by interface roles, in which you can make your selection
or create interface role objects.
Routing Protocol
Available only if the 2-Box radio button is selected.
Select the routing protocol to use between the IPsec Aggregator and the PE.
If the routing protocol for the secured IGP differs from the routing protocol
between the IPsec Aggregator and the PE, select the routing protocol for
redistributing the routing to the secured IGP.
The options are BGP, EIGRP, OSPF, RIPv2, or Static route.
For information about these protocols, see Chapter 51, “Managing Routers”.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-83
Chapter 27
Remote Access VPN Policy Reference
User Group Policy Page
Table 27-60
IPsec Proposal Editor > Dynamic VTI/VRF Aware IPsec Tab (Continued)
Element
Description
AS Number
Available only if the 2-Box radio button is selected.
The number to use to identify the autonomous system (AS) area between the
IPsec Aggregator and the PE.
If the routing protocol for the secured IGP differs from the routing protocol
between the IPsec Aggregator and the PE, enter an AS number that identifies
the secured IGP into which the routing will be redistributed from the IPsec
Aggregator and the PE. This is relevant only if GRE or DMVPN are applied.
The AS number must be between 1 and 65535.
Process Number
Available only if the 2-Box radio button is selected, and if the selected
routing protocol is OSPF.
The routing process ID number to use to configure the routing between the
IPsec Aggregator and the PE.
The process number must be between 1 and 65535.
OSPF Area ID
Available only if the 2-Box radio button is selected, and if the selected
routing protocol is OSPF.
The ID number of the area in which the packet belongs. You can enter any
number from 0 to 4294967295.
Note
Redistribute
Static Route
All OSPF packets are associated with a single area, so all devices
must have the same area ID number.
Available only if the 2-Box radio button is selected, and for any selected
routing protocol other than Static route.
When selected, enables static routes to be advertised in the routing protocol
configured on the IPsec Aggregator towards the PE device.
Note
Next Hop IP Address
If this check box is deselected and Enable Reverse Route Injection is
enabled (default) for the IPsec proposal, static routes are still
advertised in the routing protocol on the IPsec Aggregator.
Available only if the 2-Box radio button is selected and if the selected
routing protocol is Static.
The IP address of the provider edge device (or the interface that is connected
to the IPSec aggregator).
User Group Policy Page
Use the User Group Policy page to specify user groups for your remote access IPSec VPN server.You
can configure user groups on a Cisco IOS router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device.
Navigation Path
•
(Device view) Select Remote Access VPN > IPSec VPN > User Groups from the Policy selector.
•
(Policy view) Select Remote Access VPN > IPSec VPN > User Groups (IOS/PIX 6.x) from the
Policy Type selector and select an existing policy or create a new one.
User Guide for Cisco Security Manager 4.0.1
27-84
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Access Policy Page
Related Topics
•
Remote Access VPN Configuration Wizard, page 27-1
•
Understanding User Group Policies (IOS), page 26-42
•
Configuring User Group Policies, page 26-43
Field Reference
Table 27-61
User Group Policy Page
Element
Description
Available User Groups
Lists the predefined user groups available for selection.
Select the required user groups and click >>.
In Security Manager, user groups are objects. If the required user group
is not in the list, click Create to open the User Groups Editor dialog
box, which enables you to create or edit a user group object. See Add
or Edit User Group Dialog Box, page 28-68.
Selected User Groups
Displays the selected user groups.
To remove a user group from this list, select it and click <<.
To modify the properties of a user group, select it and click Edit.
SSL VPN Access Policy Page
Use the SSL VPN Access Policy page to configure access parameters for your SSL VPN. For
information about configuring an Access policy, see Configuring an Access Policy, page 26-45.
Navigation Path
•
(Device View) Select Remote Access VPN > SSL VPN > Access from the Policy selector.
•
(Policy View) Select Remote Access VPN > SSL VPN > Access (ASA) from the Policy Type
selector. Select an existing policy or create a new one.
Related Topics
•
Access Interface Configuration Dialog Box, page 27-87
•
Understanding Interface Role Objects, page 6-55
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-85
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Access Policy Page
Field Reference
Table 27-62
SSL VPN Access Policy Page
Element
Description
Access Interface Table
The Access Interface table displays the access settings for each interface.
Port Number
•
To configure access on an interface, click the Add button (see Access
Interface Configuration Dialog Box, page 27-87).
•
To edit access settings for an interface, select the interface and click the
Edit button (see Access Interface Configuration Dialog Box,
page 27-87).
•
To delete access settings for an interface, select the interface and click
the Delete button.
The port to use for SSL VPN sessions. The default port is 443, for HTTPS
traffic; the range is 1024 through 65535. If you change the port number, all
current SSL VPN connections terminate, and current users must reconnect.
Note
If HTTP port redirection is enabled, the default HTTP port number
is 80.
Enter the name of a port list, or click Select to open the Port List Selector
from which you can make your selection, or create a port list object. A port
list object is a named definition of one or more port ranges that you use when
defining service objects.
DTLS Port Number
Specify a separate UDP port for DTLS connections. The default port is 443.
Enter the name of a port list, or click Select to open the Port List Selector
from which you can make your selection, or create a port list object. A port
list object is a named definition of one or more port ranges that you use when
defining service objects.
For details about DTLS, see Understanding SSL VPN Client Settings,
page 26-56.
Fallback Trustpoint
Enter or select a trustpoint to use for interfaces that do not have a
trustpoint assigned.
Default Idle Timeout
Amount of time, in seconds, that an SSL VPN session can be idle before the
security appliance terminates it.
This value applies only if the Idle Timeout value in the group policy for the
user is set to zero (0), which means there is no timeout value; otherwise the
group policy Idle Timeout value takes precedence over the timeout you
configure here. The minimum value you can enter is 60 seconds (1 minute).
The default is 30 minutes (1800 seconds). Maximum is 24 hours (86400
seconds).
We recommend that you set this attribute to a short time period. This is
because a browser set to disable cookies (or one that prompts for cookies and
then denies them) can result in a user not connecting but nevertheless
appearing in the sessions database. If the Simultaneous Logins attribute for
the group policy is set to one, the user cannot log back in because the
database indicates that the maximum number of connections already exists.
Setting a low idle timeout removes such phantom sessions quickly, and lets
a user log in again.
User Guide for Cisco Security Manager 4.0.1
27-86
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Access Policy Page
Table 27-62
SSL VPN Access Policy Page (Continued)
Element
Description
Max Session Limit
The maximum number of SSL VPN sessions allowed.
Be aware that the different ASA models support SSL VPN sessions as
follows: ASA 5510 supports a maximum of 150; ASA 5520 maximum is
750; ASA 5540 maximum is 2500.
Allow Users to Select
Connection Profile in
Portal Page
When selected, includes a list of configured Connection Profiles (tunnel
groups) on the SSL VPN end-user interface, from which users can select a
profile when they log in.
When deselected, the user cannot select a profile on login.
Enable AnyConnect
Access
When selected, allows SSL VPN client connections. For details about
AnyConnect SSL VPN clients, see Understanding SSL VPN Client Settings,
page 26-56.
Enable AnyConnect
Essentials
When selected, enables the AnyConnect Essentials feature. For details about
AnyConnect Essentials SSL VPN clients, see Understanding SSL VPN
Client Settings, page 26-56.
Access Interface Configuration Dialog Box
Use the Access Interface Configuration dialog box to create or edit SSL VPN access on a security
appliance interface.
Navigation Path
Open the SSL VPN Access Policy Page, page 27-85, then click Add Row below the table, or select a
row in the table and click Edit Row.
Related Topics
•
Configuring an Access Policy, page 26-45
•
Understanding Interface Role Objects, page 6-55
Field Reference
Table 27-63
SSL VPN Access Policy Page > Access Interface Configuration Dialog Box
Element
Description
Access Interface
Enter the interface on which you want to configure SSL VPN access.
You can click Select to open a dialog box from which you can select an
interface from a list of interface or interface role objects.
Trustpoint
Enter or Select the previously defined trustpoint to be assigned to
this interface.
Load Balancing Trustpoint
If load balancing is configured, you can enter or Select a secondary
trustpoint to be assigned to this interface.
Allow Access
Select this option to enable VPN access via this interface. If the option
is not selected, access is configured on the interface, but it is disabled.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-87
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Table 27-63
SSL VPN Access Policy Page > Access Interface Configuration Dialog Box (Continued)
Element
Description
Enable DTLS
When selected, enables Datagram Transport Layer Security (DTLS) on
the interface and allows an AnyConnect VPN Client to establish an SSL
VPN connection using two simultaneous tunnels—an SSL tunnel and a
DTLS tunnel.
Check Client Certificate
When selected, a valid digital certificate is required from the client
for connection.
SSL VPN Other Settings Page
Use the SSL VPN Other Settings page to define global settings for caching, content rewriting, character
encoding, proxy, and memory size definitions that apply to devices in your VPN topology.
For more information, see Configuring Other SSL VPN Settings, page 26-46.
These tabs are available on the SSL VPN Other Settings page.
•
Performance Tab, page 27-88
•
Content Rewrite Tab, page 27-90
•
Encoding Tab, page 27-91
•
Proxy Tab, page 27-94
•
Plug-in Tab, page 27-98
•
SSL VPN Client Settings Tab, page 27-99
•
Advanced Tab, page 27-102
Navigation Path
•
(Device View) Select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
•
(Policy View) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy
Type selector. Select an existing policy or create a new one.
Performance Tab
Use the Performance tab of the SSL VPN Other Settings page to specify caching properties that enhance
SSL VPN performance.
Navigation Path
The Performance tab appears when you open the SSL VPN Other Settings Page, page 27-88. You can
also open it by clicking the Performance tab from any other tab on the SSL VPN Global Settings page.
Related Topics
•
Defining Performance Settings, page 26-47
•
SSL VPN Other Settings Page, page 27-88
User Guide for Cisco Security Manager 4.0.1
27-88
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Field Reference
Table 27-64
SSL VPN Other Settings > Performance Tab
Element
Description
Enable
When selected, enables the use of cache settings for the security
appliance. This check box is selected by default.
When deselected, the cache settings configured on the security
appliance do not take effect and all the fields under the Performance tab
are grayed out.
Minimum Object Size
The minimum size of an HTTP object that can be stored in the cache
(in kilobytes) on the security appliance.
The minimum size range is 0-10,000 Kb. The default is 0 Kb.
Maximum Object Size
The maximum size (in kilobytes) of an HTTP object that can be stored
in the cache on the security appliance.
The maximum size limit for an HTTP object is 10,000 kilobytes. The
default is 1000 Kb.
Last Modified Factor
Specifies an integer to set a revalidation policy for caching objects that
have only the last-modified timestamp, and no other server-set
expiration values. The range is 1-100. The default is 20.
The Expires response from the origin web server to the security
appliance request, which indicates the time that the response expires,
also affects caching. This response header indicates the time that the
response becomes stale and should not be sent to the client without an
up-to-date check (using a conditional GET operation).
The security appliance can also calculate an expiration time for each
web object before it is written to disk. The algorithm to calculate an
object’s cache expiration date is as follows:
Expiration date = (Today’s date - Object’s last modified date) *
Freshness factor
After the expiration date has passed, the object is considered stale and
subsequent requests causes a fresh retrieval of the content by the
security appliance. Setting the last modified factor to zero is equivalent
to forcing an immediate revalidation, while setting it to 100 results in
the longest allowable time until revalidation.
Expiration Time
The amount of time (in minutes) that the security appliance caches
objects without revalidating them. The range is 0-900 minutes. The
default is one minute.
Revalidation consists of rejecting the objects from the origin server
before serving the requested content to the client browser when the age
of the cached object has exceeded its freshness lifetime. The age of a
cached object is the time that the object has been stored in the security
appliance’s cache without the security appliance explicitly contacting
the origin server to check if the object is still fresh.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-89
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Table 27-64
SSL VPN Other Settings > Performance Tab (Continued)
Element
Description
Cache Compressed Content
When selected, enables compressed objects (zip, gz, and tar files) for
SSL VPN sessions to be cached on the security appliance.
When you deselect this check box, the security appliance stores objects
before it compresses them.
Cache Static Content
When selected, enables static content to be cached on the
security appliance.
Each web page comprises static and dynamic objects. The security
appliance caches individual static objects, such as image files (*.gif,
*.jpeg), java applets (.js), and cascading style sheets (*.css), etc.
Content Rewrite Tab
Use the Content Rewrite tab of the SSL VPN Other Settings page to enable the security appliance to
create rewrite rules that permit users to browse certain sites and applications without going through the
security appliance itself.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Content Rewrite tab.
Related Topics
•
Defining Content Rewrite Rules, page 26-48
•
SSL VPN Other Settings Page, page 27-88
Field Reference
Table 27-65
SSL VPN Global Settings > Content Rewrite Tab
Element
Description
Rule Number
An integer that indicates the position of the rule in the list.
The security appliance searches rewrite rules by order number, starting
with the lowest, and applies the first rule that matches.
Rule Name
The name of the application for which the rule applies.
Resource Mask
The application or resource for the rule.
Enable
Indicates whether the content rewrite rule is enabled or not on the
security appliance.
Create button
Opens a dialog box that lets you add a content rewrite rule to the list.
See Add/Edit Content Rewrite Dialog Box, page 27-91.
Edit button
Opens a dialog box that lets you edit a selected content rewrite rule in
the table. See Add/Edit Content Rewrite Dialog Box, page 27-91.
Delete button
Deletes one or more selected content rewrite rules from the table.
User Guide for Cisco Security Manager 4.0.1
27-90
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Add/Edit Content Rewrite Dialog Box
Use the Add/Edit Content Rewrite dialog box to configure the rewriting engine that includes advanced
elements such as JavaScript, VBScript, Java, and multi-byte characters to proxy HTTP traffic over a SSL
VPN connection.
Navigation Path
Open the Content Rewrite Tab, page 27-90, then click Create below the table, or select a row in the table
and click Edit.
Related Topics
•
Defining Content Rewrite Rules, page 26-48
•
SSL VPN Other Settings Page, page 27-88
•
Content Rewrite Tab, page 27-90
Field Reference
Table 27-66
SSL VPN Other Settings > Content Rewrite Tab >Add/Edit Content Rewrite Dialog
Box
Element
Description
Enable
When selected, enables content rewriting on the security appliance for the
rewrite rule.
Some applications do not require this processing, such as external
public websites. For these applications, you might choose to turn off
content rewriting.
Rule Number
Specifies a number for this rule. This number specifies the position of the
rule in the list. Rules without a number are at the end of the list. The range
is from 1 to 65534.
Rule Name
Specifies an alphanumeric string that describes the content rewrite rule. The
maximum is 128 bytes.
Resource Mask
Specifies the name of the application or resource to which the rule applies.
You can use the following wildcards:
•
*—Matches everything. You cannot use this wildcard by itself. It must
accompany an alphanumeric string.
•
?—Matches any single character.
•
[!seq]—Matches any character not in sequence.
•
[seq]—Matches any character in sequence.
The maximum is 300 bytes.
Encoding Tab
Use the Encoding tab of the SSL VPN Other Settings page to specify the character set to encode in SSL
VPN portal pages to be delivered to remote users. By default, the encoding type set on the remote
browser determines the character set for SSL VPN portal pages, so you need to set the character
encoding only if it is necessary to ensure proper encoding on the browser.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-91
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Encoding tab.
Related Topics
•
Defining Encoding Rules, page 26-50
•
SSL VPN Other Settings Page, page 27-88
Field Reference
Table 27-67
SSL VPN Other Settings > Encoding Tab
Element
Description
Global SSL VPN
Encoding Type
Select the attribute that determines the character encoding that all SSL
VPN portal pages inherit, except for those portal pages delivered from
the CIFS servers listed in the table.
By default, the security appliance applies the “Global SSL VPN
Encoding Type” to pages from Common Internet File System servers.
You can select one of the following values:
•
big5
•
gb2312
•
ibm-850
•
iso-8859-1
•
shift_jis
Note
If you are using Japanese Shift_jis Character encoding, click
Do not specify in the Font Family area of the associated Select
Page Font pane to remove the font family.
•
unicode
•
windows-1252
•
none
If you choose None or specify a value that the browser on the SSL VPN
client does not support, it uses its own default encoding.
You can enter a string of up to 40 characters, and equal to one of the
valid character sets identified in
http://www.iana.org/assignments/character-sets. You can use either the
name or the alias of a character set listed on that page. The string is
case-insensitive. The command interpreter converts upper-case to
lower-case when you save the security appliance configuration.
Common Internet File
System Server
The name or IP address of each CIFS server for which the encoding
requirement differs from the “Global SSL VPN Encoding Type”
attribute setting.
Encoding Type
The character encoding override for the associated CIFS server.
Create button
Opens a dialog box that lets you add a CIFS server for which the
encoding requirement differs from the “Global SSL VPN Encoding
Type” attribute setting. See Add/Edit File Encoding Dialog Box,
page 27-93.
User Guide for Cisco Security Manager 4.0.1
27-92
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Table 27-67
SSL VPN Other Settings > Encoding Tab (Continued)
Element
Description
Edit button
Opens a dialog box that lets you edit the settings of a selected CIFS
server in the table. See Add/Edit File Encoding Dialog Box,
page 27-93.
Delete button
Select the rows of one or more exceptions to the global encoding type
attribute setting, then click to remove from the list.
Add/Edit File Encoding Dialog Box
Use the Add/Edit File Encoding dialog box to configure CIFS servers and associated character encoding,
to override the value of the “Global SSL VPN Encoding Type” attribute.
Navigation Path
Open the Encoding Tab, page 27-91, then click Create below the table, or select a row in the table and
click Edit.
Related Topics
•
Defining Encoding Rules, page 26-50
Field Reference
Table 27-68
SSL VPN Other Settings > Encoding Tab >Add/Edit File Encoding Dialog Box
Element
Description
CIFS Server IP
When selected, indicates the IP address of a CIFS server for which the
encoding requirement differs from the “Global SSL VPN Encoding
Type” attribute setting.
CIFS servers are predefined objects. You can click Select to open the
Network/Hosts Selector dialog box that lists all available network
hosts, and in which you can create network host objects.
CIFS Server Host
When selected, indicates the host name of a CIFS server for which the
encoding requirement differs from the “Global SSL VPN Encoding
Type” attribute setting. The security appliance retains the case you
specify, although it ignores the case when matching the name to a server.
Encoding Type
Select the character encoding that the CIFS server should provide for
SSL VPN portal pages. This selection overrides the “Global SSL VPN
Encoding Type” attribute setting.
If you choose None or specify a value that the browser on the SSL VPN
client does not support, it uses its own default encoding.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-93
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Proxy Tab
Use the Proxy tab of the SSL VPN Other Settings page to configure the security appliance to terminate
HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. On this
tab, you can also configure the security appliance to perform minimal content rewriting, and to specify
the types of content to rewrite—external links or XML.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Proxy tab.
Related Topics
•
Defining Proxies and Proxy Bypass Rules, page 26-51
•
Understanding Network/Host Objects, page 6-62
Field Reference
Table 27-69
SSL VPN Other Settings > Proxy Tab
Element
Description
Proxy Type
Select the type of external proxy server to use for SSL VPN
connections as follows:
•
HTTP/HTTPS Proxy—Enables you to use an external proxy
server to handle HTTP or HTTPS requests and activates all the
fields beneath it that specify HTTP or HTTPS server properties.
•
Proxy using PAC—Enables you to specify a proxy
autoconfiguration (PAC) file to download from an HTTP proxy
server to a browser.
HTTP/HTTPS Proxy Servers
Enable HTTP Proxy Server
Click this check box to enable the HTTP proxy server.
HTTP Proxy Server
Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The IP address of the external HTTP proxy server to which the security
appliance forwards HTTP connections.
HTTP proxy servers are predefined network objects. You can click Select
to open the Networks/Hosts Selector dialog box from which you can
make your selections, and in which you can create network host objects.
HTTP Proxy Port
Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The port of the external HTTP proxy server to which the security
appliance forwards HTTP connections.
You can click Select to open the Port List Selector dialog box from
which you can make your selection, or create a port list object. A port
list object is a named definition of one or more port ranges that you use
when defining service objects.
User Guide for Cisco Security Manager 4.0.1
27-94
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Table 27-69
SSL VPN Other Settings > Proxy Tab (Continued)
Element
Description
Exception Address List
Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
A URL or a comma-delimited list of several URLs to exclude from those
that can be sent to the HTTP proxy server. The string does not have a
character limit, but the entire command cannot exceed 512 characters.
You can specify literal URLs or use the following wildcards:
Authentication User Name
•
* to match any string, including slashes (/) and periods (.). You
must accompany this wildcard with an alphanumeric string.
•
? to match any single character, including slashes and periods.
•
[x-y] to match any single character in the range of x and y, where
x represents one character and y represents another character in the
ANSI character set.
•
[!x-y] to match any single character that is not in the range.
Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The username that is used as the keyword to accompany each HTTP
proxy request to provide basic, proxy authentication.
Authentication Password
The password to send to the proxy server with each HTTP request.
Confirm
Confirms the password entered in the Authentication Password field.
The values in the Authentication Password and Confirm fields must
match before you can save these settings.
Enable HTTPS Proxy Server Click this check box to enable the HTTPS proxy server.
HTTPS Proxy Server
Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The IP address of the external HTTPS proxy server to which the
security appliance forwards HTTP connections.
HTTPS proxy servers are predefined network objects. You can click
Select to open the Networks/Hosts Selector dialog box from which you
can make your selections, and in which you can create network host
objects.
HTTPS Proxy Port
Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The port of the external HTTPS proxy server to which the security
appliance forwards HTTPS connections.
You can click Select to open the Port List Selector dialog box from
which you can make your selection, or create a port list object.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-95
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Table 27-69
SSL VPN Other Settings > Proxy Tab (Continued)
Element
Description
Exception Address List
Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
A URL or a comma-delimited list of several URLs to exclude from those
that can be sent to the HTTPS proxy server. The string does not have a
character limit, but the entire command cannot exceed 512 characters.
You can specify literal URLs or use the following wildcards:
Authentication User Name
•
* to match any string, including slashes (/) and periods (.). You
must accompany this wildcard with an alphanumeric string.
•
? to match any single character, including slashes and periods.
•
[x-y] to match any single character in the range of x and y, where
x represents one character and y represents another character in the
ANSI character set.
•
[!x-y] to match any single character that is not in the range.
Available only if you selected HTTP/HTTPS Proxy from the Proxy
Server list.
The username that is used as the keyword to accompany each HTTPS
proxy request to provide basic, proxy authentication.
Authentication Password
The password to send to the proxy server with each HTTPS request.
Confirm
Confirms the password entered in the Authentication Password field.
The values in the Authentication Password and Confirm fields must
match before you can save these settings.
Proxy using PAC
Available only if you selected Proxy using PAC from the Proxy Server list.
Specify Proxy Auto Config
file URL
When selected, enables you to specify a proxy autoconfiguration (PAC)
file to download to the browser. Once downloaded, the PAC file uses a
JavaScript function to identify a proxy for each URL. Enter http:// and
type the URL of the proxy autoconfiguration file into the adjacent field.
If you omit the http:// portion, the security appliance ignores it.
This option is an alternative to specifying the IP address of the HTTP
proxy server
Proxy Bypass
Specifies the ASA interface, port, and target URL configured for
proxy bypass. Use the following buttons to create, edit, or delete proxy
bypass settings:
•
Create button—Opens a dialog box that lets you add a proxy
bypass rule to the table. See Add/Edit Proxy Bypass Dialog Box,
page 27-97.
•
Edit button—Opens a dialog box that lets you edit the settings of a
selected proxy bypass rule in the table. See Add/Edit Proxy Bypass
Dialog Box, page 27-97.
•
Delete button—Deletes one or more proxy bypass rules selected in
the table.
User Guide for Cisco Security Manager 4.0.1
27-96
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Add/Edit Proxy Bypass Dialog Box
Use the Add/Edit Proxy Bypass dialog box to set proxy bypass rules when the security appliance
performs little or no content rewriting.
Navigation Path
Open the Proxy Tab, page 27-94, then click Create below the table, or select a row in the table and
click Edit.
Related Topics
•
Defining Proxies and Proxy Bypass Rules, page 26-51
•
Understanding Interface Role Objects, page 6-55
Field Reference
Table 27-70
SSL VPN Global Settings > Proxy Tab >Add/Edit Proxy Bypass Dialog Box
Element
Description
Interface
The interface on the security appliance that is used for proxy bypass.
You can click Select to open a dialog box from which you can select an
interface from a list of interface or interface role objects.
Bypass On Port
When selected, enables you specify a port number to be used for proxy
bypass. Valid port numbers are 20000-21000.
You can click Select to open the Port List Selector dialog box from which
you can make your selection, or create a port list object. A port list object is
a named definition of one or more port ranges that you use when defining
service objects.
Note
Bypass Matching
Specify Pattern
If you configure proxy bypass using ports rather than path masks,
depending on your network configuration, you might need to change
your firewall configuration to allow these ports access to the security
appliance. Use path masks to avoid this restriction.
When selected, enables you to specify a URL path to match for proxy bypass.
A path is the text in a URL that follows the domain name. For example, in
the URL www.mycompany.com/hrbenefits, hrbenefits is the path.
You can use the following wildcards:
•
*—Matches everything. You cannot use this wildcard by itself. It must
accompany an alphanumeric string.
•
?—Matches any single character.
•
[!seq]—Matches any character not in sequence.
•
[seq]—Matches any character in sequence.
The maximum is 128 bytes.
Note
Path masks can change, so you might need to use multiple path mask
statements to exhaust the possibilities.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-97
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Table 27-70
SSL VPN Global Settings > Proxy Tab >Add/Edit Proxy Bypass Dialog Box (Continued)
Element
Description
URL
Select the http or https protocol, then enter a URL to which you want to
apply proxy bypass, in the field provided.
URLs used for proxy bypass allow a maximum of 128 bytes. The port for
HTTP is 80 and for HTTPS it is 443, unless you specify another port.
Rewrite XML
When selected, rewrites XML sites and applications to be bypassed by the
security appliance.
Rewrite Hostname
When selected, rewrites external links to be bypassed by the
security appliance.
Plug-in Tab
Clientless SSL VPN must be enabled on the security appliance to provide remote access to the plug-ins.
Use the Plug-in tab of the SSL VPN Other Settings page to view the currently configured browser
plug-ins, and create new plug-ins or edit the existing ones,.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Plug-in tab. You can also open it by
clicking the Plug-in tab from any other tab on the SSL VPN Other Settings page.
Related Topics
•
Understanding Plug-ins, page 26-53
•
Defining Browser Plug-ins, page 26-55
•
Understanding and Managing SSL VPN Support Files, page 26-5
Field Reference
Table 27-71
SSL VPN Other Settings > Plug-in Tab
Element
Description
Plug-in
The type of plug-in based on the protocol service that the plug-in provides
to the user. The plug-in is used in remote browsers in Clientless SSL
VPN sessions.
Plug-in File
The name of the File Object that identifies the plug-in file.
Create button
Opens a dialog box that lets you add a browser plug-in. See Add/Edit Plug-in
Entry Dialog Box, page 27-99.
Edit button
Opens a dialog box that lets you edit the settings of the selected plug-in. See
Add/Edit Plug-in Entry Dialog Box, page 27-99.
Delete button
Select the rows of one or more browser plug-ins, then click to remove from
the list.
User Guide for Cisco Security Manager 4.0.1
27-98
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Add/Edit Plug-in Entry Dialog Box
Use the Add/Edit Plug-in Entry dialog box to add or edit browser plug-ins to download to remote
browsers in clientless SSL VPN sessions.
Navigation Path
Open the Plug-in Tab, page 27-98, then click Create below the table, or select a row in the table and
click Edit.
Related Topics
•
Understanding Plug-ins, page 26-53
•
Defining Browser Plug-ins, page 26-55
•
Understanding and Managing SSL VPN Support Files, page 26-5
Field Reference
Table 27-72
SSL VPN Other Settings > Plug-in Tab > Add/Edit Plug-in Entry Dialog Box
Element
Description
Plug-in
The type of plug-in file based on the protocol to be used for the imported
plug-in in URLs launched from the SSL VPN portal. Select one of the
following options from the list:
Plug-in File
•
Remote Desktop (RDP)—Provides access to Remote Desktop Protocol
services using the rdp-plugin.jar plug-in file.
•
Secure Shell (SSH), Telnet—Provides access to Secure Shell and
Telnet services using the ssh-plugin.jar plug-in file.
•
VNC—Provides access to Virtual Network Computing services using
the vnc-plugin.jar plug-in file.
•
Citrix (ICA)—Provides access to Citrix MetaFrame services using the
ica-plugin.jar plug-in file.
The File Object that identifies the plug-in file. Enter the name of the File
Object or click Select to select an object. You can also create the File Object
from the object selector. For more information on creating File Objects, see
Add and Edit File Object Dialog Boxes, page 28-24.
SSL VPN Client Settings Tab
Use the SSL VPN Client Settings tab to specify the path of the SSL VPN client image and profile files
to be downloaded to the remote PC and the size of the cache memory to be allocated for SSL VPN client
and Cisco Secure Desktop (CSD) images on the device.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Client Settings tab. You can also
open it by clicking the Client Settings tab from any other tab on the SSL VPN Other Settings page.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-99
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Related Topics
•
Understanding SSL VPN Client Settings, page 26-56
•
Configuring SSL VPN Client Settings, page 26-57
•
Understanding and Managing SSL VPN Support Files, page 26-5
Field Reference
Table 27-73
SSL VPN Other Settings > Client Settings Tab
Element
Description
AnyConnect Client Image
AnyConnect Client Image
Displays the name of the File Object that identifies the package file for
an Anyconnect client image. These are images that the security
appliance downloads to the remote PC.
Order
Indicates the order in the table. The security appliance downloads the
image at the top of the table first. Therefore, you should move the image
used by the most commonly-encountered operating system to the top.
Create button
Click to open the object selector so that you can select a package to add
to the list. You can select an existing File Object or create a new one.
Edit button
Select a row of an SSL VPN client image in the table, then click to
change the File Object selection or the order of the client image.
Delete button
Select the rows of one or more Anyconnect client images, then click to
remove from the list.
AnyConnect Client Profile
Profile Name
Displays the name of the client profile to be downloaded to the
security appliance.
AnyConnect Client Profile
Displays the name of the File Object that identifies the client profile for
an Anyconnect client, which is downloaded to the security appliance.
The client profile is an XML file that the security appliance downloads
to the remote PC. These profiles display host information in the
AnyConnect VPN Client user interface.
Create button
Click to open the object selector so that you can select a profile to add
to the list. You can select an existing File Object or create a new one.
Edit button
Select a row of an SSL VPN client profile in the table, then click to
change the File Object selection or the name of the client profile.
Delete button
Select the rows of one or more Anyconnect client profiles, then click to
remove from the list.
Cache File System (to hold CSD and SVC images)
Maximum Cache File
System Object Size
The maximum size (in MB) of the cache on the security appliance to
store SSL VPN client and CSD images.
Note
The security appliance expands SSL VPN client and the CSD
images in cache memory. If you receive the error message
“ERROR: Unable to load SVC image - increase disk space via
the ‘cache-fs’ command”, increase the size of cache memory.
User Guide for Cisco Security Manager 4.0.1
27-100
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Add/Edit AnyConnect Client Image Dialog Box
Use the Add/Edit AnyConnect Client Image dialog box to create or edit a package file as the client
image, and establish the order that the security appliance downloads the image to the remote PC.
Navigation Path
Open the SSL VPN Client Settings Tab, page 27-99, then click Create below the AnyConnect Client
Image table, or select a row in the table and click Edit.
Related Topics
•
Understanding SSL VPN Client Settings, page 26-56
•
Configuring SSL VPN Client Settings, page 26-57
•
Understanding and Managing SSL VPN Support Files, page 26-5
Field Reference
Table 27-74
SSL VPN Other Settings > Client Settings Tab > Add/Edit AnyConnect Client Image
Dialog Box
Element
Description
AnyConnect Client Image
The name of the File Object that identifies the Anyconnect client. Click
Select to select an object.
You can also create the File Object from the object selector. For more
information, see Add and Edit File Object Dialog Boxes, page 28-24.
Image Order
The order in which the security appliance downloads the client images
to the remote PC. It downloads the image at the top of the table first.
Therefore, you should enter a lower value for the image used by the
most commonly-encountered operating system.
Regular Expression
Regular expression for the AnyConnect image. Enter a name of an
existing regular expression or click Select to select or create a new one.
Add/Edit AnyConnect Client Profile Dialog Box
Use the Add/Edit AnyConnect Client Profile dialog box to create a new profile or edit the path of an
existing one. These profiles display host information in the AnyConnect VPN Client user interface. After
creating a profile, it is loaded on the security appliance from Security Manager and you must configure
the security appliance to download it to remote client PCs.
Navigation Path
Open the SSL VPN Client Settings Tab, page 27-99, then click Create below the AnyConnect Client
Profile table, or select a row in the table and click Edit.
Related Topics
•
Understanding SSL VPN Client Settings, page 26-56
•
Configuring SSL VPN Client Settings, page 26-57
•
Understanding and Managing SSL VPN Support Files, page 26-5
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-101
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Other Settings Page
Field Reference
Table 27-75
SSL VPN Other Settings > Client Settings Tab > Add/Edit AnyConnect Client Profile
Dialog Box
Element
Description
AnyConnect Profile Name
The name of the Anyconnect client profile to be downloaded to the
security appliance.
AnyConnect Client Profile
The name of the File Object that identifies the Anyconnect client
profile XML file. Click Select to select an object.
You can also create the File Object from the object selector. For more
information, see Add and Edit File Object Dialog Boxes, page 28-24.
Advanced Tab
The Advanced tab lets you configure the memory, on-screen keyboard, and internal password features
on ASA devices.
Navigation Path
Open the SSL VPN Other Settings Page, page 27-88, then click the Advanced tab.
Related Topics
•
Defining Advanced Settings, page 26-58
User Guide for Cisco Security Manager 4.0.1
27-102
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Shared License (ASA 8.2) Page
Field Reference
Table 27-76
SSL VPN Other Settings > Advanced Tab
Element
Description
Memory Size
Specify the amount of memory you want to allocate to SSL VPN
sessions as follows:
•
% of Total Physical Memory—As a percentage of total memory.
Default is 50%.
•
Kilobytes—In kilobytes. 20KB is the minimum setting allowed.
Cisco recommends that you do not specify memory in terms of KB
because different ASA models have different total amounts of
memory, for example:
– ASA 5510 has 256 MB
– ASA5520 has 512 MB
– ASA 5540 has 1GB
Note
Enable On-screen Keyboard
Allow Users to Enter
Internal Password
When you change the memory size, the new setting takes effect
only after the system reboots.
Select one of the following options:
•
Disabled—The on-screen keyboard is not displayed. Users must
input their credentials using the standard keyboard.
•
On All Pages—Allows a user to input credentials using an
on-screen keyboard, which is displayed whenever logon
credentials are required.
•
On Logon Page Only—Allows a user to input credentials using an
on-screen keyboard, which is displayed on the logon page.
Click the checkbox to enable the feature. When enabled, an additional
password is required when accessing internal sites. This feature is
useful if you require that the internal password be different from the
SSL VPN password. For example, you can use a one-time password for
authentication to ASA and another password for internal sites.
SSL VPN Shared License (ASA 8.2) Page
Use the SSL VPN Shared License page to configure your SSL VPN Shared License.
Navigation Path
•
(Device View) Select an ASA device using version 8.2 or higher, and select Remote Access VPN >
SSL VPN > Shared License from the Policy selector.
•
(Policy View) Select Remote Access VPN > SSL VPN > Shared License (ASA 8.2+) from the
Policy Type selector. Select an existing policy or create a new one.
Related Topics
•
Understanding SSL VPN Shared Licenses (ASA), page 26-58
•
Configuring an ASA Device as a Shared License Client, page 26-59
•
Configuring an ASA Device as a Shared License Server, page 26-59
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-103
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Shared License (ASA 8.2) Page
Field Reference
Table 27-77
SSL VPN Shared License Page
Element
Description
Select Role
Role you are configuring, either Shared License Client or Shared
License Server. Depending on your choice, different fields appear.
Shared License Client
Shared Secret
Case-sensitive string (4-128 characters) used for communicating with
the shared license server.
License Server
Hostname of the ASA device configured as the license server.
License Server Port
Number of the TCP port on which the license server communicates.
Select Backup Role of Client Role of the client:
•
Client Only—When selected, the client acts only as the client. In
this case, you must specify another device as a backup server.
•
Backup Server—When selected, the client also acts as the backup
server. In this case, you must also specify the interfaces to be used
for this purpose.
Shared License Server
Shared Secret
Case-sensitive string (4-128 characters) used for communicating with
the shared license server.
License Server
Hostname of the ASA device configured as the license server.
License Server Port
Number of the TCP port on which the license server communicates.
Refresh Interval
Value between 10-300 seconds. Default is 30 seconds.
Interfaces
Interfaces used for communicating shared licenses to clients.
Configure Backup shared
SSL VPN License Server
Click this check box to configure a backup server for the shared license
server, then configure the following:
•
Backup License Server—Server to act as a backup license server if
the current one is unavailable.
•
Backup Server Serial Number—Serial number of the backup
license server.
•
HA Peer Serial Number—(Optional) Serial number of the backup
server of a failover pair.
User Guide for Cisco Security Manager 4.0.1
27-104
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Policy Page (IOS)
SSL VPN Policy Page (IOS)
Use this page to configure the SSL VPN connection policies for an IOS router. From this page, you can
create, edit, or delete SSL VPN policies.
The table lists all of the contexts that define the virtual configurations of the SSL VPN. Each context has
a gateway, domain or virtual hostname, and user group policies. The status of the context is also shown,
either In Service or Out of Service.
•
To add a context, click the Add Row button to open the SSL VPN Context Editor Dialog Box (IOS),
page 27-105.
•
To edit a context, select it and click the Edit Row button.
•
To delete a context, select it and click the Delete Row button.
Navigation Path
•
(Device View) Select an IOS device and select Remote Access VPN > SSL VPN from the
Policy selector.
•
(Policy View) Select Remote Access VPN > SSL VPN > SSL VPN Policy (IOS) from the Policy
Type selector. Select an existing policy or create a new one.
Related Topics
•
Configuring an SSL VPN Policy (IOS), page 26-60
•
Filtering Tables, page 1-33
SSL VPN Context Editor Dialog Box (IOS)
Use this dialog box to create or modify a context that defines the virtual configuration of an SSL VPN.
For more information, see Configuring an SSL VPN Policy (IOS), page 26-60.
Navigation Path
Open the SSL VPN Policy Page (IOS), page 27-105, then click Create, or select a policy in the table and
click Edit.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-105
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Policy Page (IOS)
Field Reference
Table 27-78
SSL VPN Context Editor Dialog Box
Element
Description
General tab
Defines the general settings required for an SSL VPN policy. General
settings include specifying the gateway, domain, AAA servers for
accounting and authentication, and user groups. For a description of the
fields on this tab, see General Tab, page 27-107.
Portal Page tab
Defines the design of the login page for the SSL VPN policy. The display
box at the bottom of the tab changes to show you how your selections will
look. You can configure:
Secure Desktop tab
•
Title—The text displayed at the top of the page. Control the color using
the Primary settings in the Title Color and Text Color fields.
•
Logo—The graphic displayed next to the title. Select None, Default, or
Custom. To configure a custom graphic, you must copy the desired
graphic to the Security Manager server, then click Browse to select the
file. Supported graphic types are GIF, JPG, and PNG, with a maximum
size of 100 KB.
•
Login Message—The text displayed immediately above the login
prompt. Control the color using the Secondary settings in the Title Color
and Text Color fields.
Configures the Cisco Secure Desktop (CSD) software on the router. CSD
policies define entry requirements for client systems and provide a single,
secure location for session activity and removal on the client system,
ensuring that sensitive data is shared only for the duration of an SSL VPN
session.
Note
You must install and activate the Secure Desktop Client software on
a device for your configuration to work.
If you want to use CSD, select Enable Cisco Secure Desktop and click
Select to select a Secure Desktop Configuration policy object, which defines
the rules you want to use to control VPN access and host scanning. You can
create a new object from the selection list. For information about configuring
these objects, see Creating Cisco Secure Desktop Configuration Objects,
page 26-61.
Advanced tab
Configures these additional settings:
•
Maximum Number of Users—The maximum number of SSL VPN user
sessions allowed at one time, from 1-1000.
•
VRF Name—If Virtual Routing Forwarding (VRF) is configured on the
device, the name of the VRF instance that is associated with the SSL
VPN context. For information about VRF, see Understanding
VRF-Aware IPsec, page 21-13.
User Guide for Cisco Security Manager 4.0.1
27-106
OL-23439-01
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Policy Page (IOS)
General Tab
Use the General tab of the SSL VPN Context Editor dialog box to define or edit the general settings
required for an SSL VPN policy. General settings include specifying the gateway, domain, AAA servers
for accounting and authentication, and user groups.
Navigation Path
Open the SSL VPN Context Editor Dialog Box (IOS), page 27-105, then click the General tab.
Related Topics
•
Configuring an SSL VPN Policy (IOS), page 26-60
•
Add or Edit SSL VPN Gateway Dialog Box, page 28-63
•
Understanding AAA Server and Server Group Objects, page 6-20
Field Reference
Table 27-79
SSL VPN Context Editor General Tab (IOS)
Element
Description
Enable SSL VPN
Whether to activate the SSL VPN connection, putting it “In Service”.
Name
The name of the context that defines the virtual configuration of the
SSL VPN.
Note
Gateway
To simplify the management of multiple context
configurations, make the context name the same as the domain
or virtual hostname.
The name of the SSL VPN gateway policy object that defines the
characteristics of the gateway to which users connect when entering the
VPN. A gateway object provides the interface and port configuration
for an SSL VPN connection.
Enter the name of the object or click Select to select it from a list or to
create a new object.
Domain
The domain or virtual hostname of the SSL VPN connection.
Portal Page URL
The URL for the SSL VPN, which is filled in when you select a gateway
object. Users connect to this URL to enter the VPN.
Authentication Server Group The authentication server groups. The list is in prioritized order.
Authentication is attempted using the first group and proceeds through
the list until the user is successfully authenticated or denied. Use the
LOCAL group if the users are defined on the gateway itself.
Enter the names of the AAA server groups; separate multiple entries
with commas. You can click Select to select the groups or to create
new ones.
Authentication Domain
A list or method for SSL VPN remote user authentication. If you do not
specify a list or method, the gateway uses global AAA parameters for
remote-user authentication.
User Guide for Cisco Security Manager 4.0.1
OL-23439-01
27-107
Chapter 27
Remote Access VPN Policy Reference
SSL VPN Policy Page (IOS)
Table 27-79
SSL VPN Context Editor General Tab (IOS) (Continued)
Element
Description
Accounting Server Group
The accounting server group. Enter the name of the AAA server
group policy object, or click Select to select it from a list or to create
a new object.
User Groups
The user groups that will be used in your SSL VPN policy. User groups
define the resources available to users when connecting to an SSL VPN
gateway. The table shows whether full client, CIFS file access, and thin
client is enabled for the group.
•
To add a user group, click Add Row to open a list of existing user
group policy objects from which you can select the group. If the
desired group does not already exist, click the Create button below
the available groups list and create it. For more information about
user group objects, see Add or Edit User Group Dialog Box,
page 28-68.
•
To edit a user group, select it and click the Edit Row button.
•
To delete a user group, select it and click the Delete Row button.
This deletes the group only from the policy, it does not delete the
user group policy object.
User Guide for Cisco Security Manager 4.0.1
27-108
OL-23439-01
Download PDF
Similar pages