Index A
AAA
addressing, configuring 5-5
Access Control Server 7-4, 7-13
access hours, username attribute 4-89
accessing the security appliance using SSL 15-21
accessing the security appliance using TKS1 15-21
access list filter, username attribute 4-90
access lists
exemptions from posture validation 7-11
group policy WebVPN filter 4-83
IPsec 1-29
Network Admission Control, default 7-10
username for Clientless SSL VPN 4-96
Active Directory, settings for password management 4-28
Active Directory procedures 13-2 to ??
Advanced Encryption Standard (AES) 1-10
application access
and e-mail proxy 18-7
and Web Access 18-7
configuring client applications 18-6
enabling cookies on browser 18-6
privileges 18-6
quitting properly 18-6
setting up on client 18-6
using e-mail 18-7
with IMAP client 18-7
Application Access Panel, WebVPN 19-2, 21-2
application access using Clientless SSL VPN
group policy attribute for Clientless SSL VPN 4-84
username attribute for Clientless SSL VPN 4-98
application access using WebVPN
and hosts file errors 22-1
quitting properly 22-2
Application Profile Customization Framework 16-8
ASA 5505
client
authentication 8-12
configuration restrictions, table 8-2
device pass-through 8-8
group policy attributes pushed to 8-10
mode 8-3
remote management 8-9
split tunneling 8-8
TCP 8-4
trustpoint 8-7
tunnel group 8-7
tunneling 8-5
Xauth 8-4
server (headend) 8-1
attributes
username 4-88
attribute-value pairs (AVP) 4-36
authentication
ASA 5505 as Easy VPN client 8-12
WebVPN users with digital certificates 19-21, 19-22
auto-signon
group policy attribute for Clientless SSL VPN 4-82
username attribute for Clientless SSL VPN 4-99
B
backup server attributes, group policy 4-67
banner message, group policy 4-41
before configuring KCD 16-4
Black Ice firewall 4-76
bypass authentication 8-8
C
cached Kerberos tickets
clearing 16-7
showing 16-7
caching 17-18
cascading access lists 1-23
certificate
authentication, e-mail proxy 16-14
group matching
configuring 1-16, 1-17
rule and policy, creating 1-17
Cisco Integrated Firewall 4-76
Cisco Security Agent 4-76
Cisco Trust Agent 7-13
clearing cached Kerberos tickets 16-7
client
VPN 3002 hardware, forcing client update 3-4
Windows, client update notification 3-4
client access rules, group policy 4-77
client firewall, group policy 4-71
clientless authentication 7-13
Clientless SSL VPN
client application requirements 18-2
client requirements 18-2
for file management 18-5
for network browsing 18-5
for web browsing 18-4
start-up 18-3
configuring for specific users 4-93
enable cookies for 18-6
printing and 18-3
remote requirements
for port forwarding 18-6
for using applications 18-6
remote system configuration and end-user requirements 18-3
security tips 18-2
supported applications 18-2
supported browsers 18-3
supported types of Internet connections 18-3
URL 18-3
username and password required 18-3
usernames and passwords 18-1
client mode 8-3
client update, performing 3-4
cluster
IP address, load balancing 3-7
load balancing configurations 3-10
mixed scenarios 3-11
virtual 3-7
connect time, maximum, username attribute 4-90
content transformation, WebVPN 17-15
CRACK protocol 1-39
crypto map
acccess lists 1-29
applying to interfaces 1-29, 10-11
clearing configurations 1-38
creating an entry to use the dynamic crypto map 6-13
definition 1-19
dynamic 1-35
dynamic, creating 6-12
entries 1-19
examples 1-30
policy 1-21
crypto show commands table 1-37
custom firewall 4-76
customization, Clientless SSL VPN
group policy attribute 4-80
login windows for users 4-27
username attribute 4-95
username attribute for Clientless SSL VPN 4-24
D
default
DefaultL2Lgroup 4-1
DefaultRAgroup 4-1
domain name, group policy 4-54
group policy 4-1, 4-8, 4-36
LAN-to-LAN tunnel group 4-17
remote access tunnel group, configuring 4-7
tunnel group 1-18, 4-2
deny in a crypto map 1-23
deny-message
group policy attribute for Clientless SSL VPN 4-81
username attribute for Clientless SSL VPN 4-96
DES, IKE policy keywords (table) 1-9, 1-10
device pass-through, ASA 5505 as Easy VPN client 8-8
DfltGrpPolicy 4-37
DHCP
addressing, configuring 5-6
DHCP Intercept, configuring 4-55
Diffie-Hellman
Group 5 1-9, 1-11
groups supported 1-9, 1-11
digital certificates
authenticating WebVPN users 19-21, 19-22
SSL 15-25
disabling content rewrite 17-16
DNS
server, configuring 4-50
domain attributes, group policy 4-54
dynamic crypto map 1-35
creating 6-12
See also crypto map
E
Easy VPN
client
authentication 8-12
configuration restrictions, table 8-2
enabling and disabling 8-1
group policy attributes pushed to 8-10
mode 8-3
remote management 8-9
trustpoint 8-7
tunnels 8-9
Xauth 8-4
server (headend) 8-1
Easy VPN client
ASA 5505
device pass-through 8-8
split tunneling 8-8
TCP 8-4
tunnel group 8-7
tunneling 8-5
egress VLAN for VPN sessions 4-44
e-mail
configuring for WebVPN 16-14
proxies, WebVPN 16-14
proxy, certificate authentication 16-14
WebVPN, configuring 16-14
e-mail proxy
and Clientless SSL VPN 18-7
end-user interface, WebVPN, defining 19-1, 21-1
external group policy, configuring 4-39
F
failover
Trusted Flow Acceleration 2-8
filter (access list)
group policy attribute for Clientless SSL VPN 4-83
username attribute for Clientless SSL VPN 4-96
firewall
Black Ice 4-76
Cisco Integrated 4-76
Cisco Security Agent 4-76
custom 4-76
Network Ice 4-76
none 4-76
Sygate personal 4-76
Zone Labs 4-76
firewall policy, group policy 4-71
fragmentation policy, IPsec 1-15
G
general attributes, tunnel group 4-3
general parameters, tunnel group 4-3
general tunnel-group connection parameters 4-3
global e-mail proxy attributes 16-14
global IPsec SA lifetimes, changing 1-31
group-lock, username attribute 4-92
group policy
address pools 4-41
backup server attributes 4-67
client access rules 4-77
configuring 4-39
default domain name for tunneled packets 4-54
definition 4-1, 4-36
domain attributes 4-54
Easy VPN client, attributes pushed to ASA 5505 8-10
external, configuring 4-39
firewall policy 4-71
hardware client user idle timeout 4-65
internal, configuring 4-40
IP phone bypass 4-66
IPSec over UDP attributes 4-63
LEAP Bypass 4-66
network extension mode 4-67
security attributes 4-61
split tunneling attributes 4-51
split-tunneling domains 4-55
user authentication 4-65
VPN hardware client attributes 4-64
webvpn attributes 4-79
WINS and DNS servers 4-50
group policy, default 4-36
group policy, secure unit authentication 4-64
group policy attributes for Clientless SSL VPN
application access 4-84
auto-signon 4-82
customization 4-80
deny-message 4-81
filter 4-83
home page 4-82
html-content filter 4-81
keep-alive-ignore 4-85
port forward 4-84
port-forward-name 4-85
sso-server 4-86
url-list 4-83
Group Policy window
add or edit, General tab 5-5
H
hairpinning 1-27
hardware client, group policy attributes 4-64
HMAC hashing method 1-2, 10-4
hold-period 7-17
homepage
group policy attribute for Clientless SSL VPN 4-82
username attribute for Clientless SSL VPN 4-95
hosts file
errors 22-1
reconfiguring 22-2
WebVPN 22-2
html-content-filter
group policy attribute for Clientless SSL VPN 4-81
username attribute for Clientless SSL VPN 4-94
HTTP compression, Clientless SSL VPN, enabling 4-86, 4-100
HTTP redirection for login, Easy VPN client on the ASA 5505 8-12
HTTPS for WebVPN sessions 15-22
hub-and-spoke VPN scenario 1-27
I
idle timeout
hardware client user, group policy 4-65
username attribute 4-90
ID method for ISAKMP peers, determining 1-13
IKE
benefits 1-2, 10-4
creating policies 1-11
keepalive setting, tunnel group 4-4
pre-shared key, Easy VPN client on the ASA 5505 8-7
See also ISAKMP
IKEv1 1-19
Individual user authentication 8-12
inheritance
tunnel group 4-1
username attribute 4-89
intercept DHCP, configuring 4-55
interfaces
configuring for remote access 6-7
internal group policy, configuring 4-40
Internet Security Association and Key Management Protocol
See ISAKMP
IP addresses
configuring an assignment method for remote access clients 5-1
configuring for VPNs 5-1
configuring local IP address pools 5-3
IP phone 8-8
IP phone bypass, group policy 4-66
IPSec
modes 2-2
over UDP, group policy, configuring attributes 4-63
remote-access tunnel group 4-8
setting maximum active VPN sessions 3-3
IPsec
access list 1-29
basic configuration with static crypto maps 1-32
Cisco VPN Client 1-2
configuring 1-1, 1-18
crypto map entries 1-19
fragmentation policy 1-15
over NAT-T, enabling 1-14
over TCP, enabling 1-15
SA lifetimes, changing 1-31
tunnel 1-19
view configuration commands table 1-37
IPSec parameters, tunnel group 4-4
ipsec-ra, creating an IPSec remote-access tunnel 4-8
ISAKMP
about 1-2
configuring 1-1
determining an ID method for peers 1-13
disabling in aggressive mode 1-13
enabling on the outside interface 6-8
keepalive setting, tunnel group 4-4
See also IKE
J
Java object signing 17-16
K
KCD 16-1, 16-2
before configuring 16-4
KCD status
showing 16-6
keep-alive-ignore
group policy attribute for Clientless SSL VPN 4-85
username attribute for Clientless SSL VPN 4-99
Kerberos tickets
clearing 16-7
showing 16-7
L
L2TP description 2-1
LAN-to-LAN tunnel group, configuring 4-17
Layer 2 Tunneling Protocol 2-1
LDAP
example configuration procedures 13-2 to ??
user authorization 13-13
LEAP Bypass, group policy 4-66
load balancing
cluster configurations 3-10
concepts 3-7
eligible clients 3-9
eligible platforms 3-9
implementing 3-8
mixed cluster scenarios 3-11
platforms 3-9
prerequisites 3-9
login
simultaneous, username attribute 4-89
windows, customizing for users of Clientless SSL VPN sessions 4-27
M
MAC addresses
ASA 5505 device pass-through 8-8
matching, certificate group 1-16, 1-17
maximum active IPSec VPN sessions, setting 3-3
maximum connect time,username attribute 4-90
maximum object size to ignore username attribute for Clientless SSL VPN 4-99
MD5, IKE policy keywords (table) 1-9, 1-10
Microsoft Active Directory, settings for password management 4-28
Microsoft Internet Explorer client parameters, configuring 4-57
Microsoft KCD 16-1, 16-2
mixed cluster scenarios, load balancing 3-11
MSIE client parameters, configuring 4-57
MTU size, Easy VPN client, ASA 5505 8-5
N
NAC
See Network Admission Control
NAT-T
enabling IPsec over NAT-T 1-14
using 1-15
Network Admission Control
ACL, default 7-10
clientless authentication 7-13
configuring 4-68
exemptions 7-11
revalidation timer 7-10
uses, requirements, and limitations 7-1
network extension mode 8-3
network extension mode, group policy 4-67
Network Ice firewall 4-76
Nokia VPN Client 1-39
O
operating systems, posture validation exemptions 7-11
Outlook Web Access (OWA) and Clientless SSL VPN 18-7
P
password
Clientless SSL VPN 18-1
password management, Active Directory settings 4-28
passwords
username, setting 4-88
WebVPN 19-22
password-storage, username attribute 4-93
PAT
Easy VPN client mode 8-3
peers
alerting before disconnecting 1-16
ISAKMP, determining ID method 1-13
performance, optimizing for WebVPN 17-18
permit in a crypto map 1-23
port-forward
group policy attribute for Clientless SSL VPN 4-84
username attribute for Clientless SSL VPN 4-98
Port Forwarding
configuring client applications 18-6
port-forward-name
group policy attribute for Clientless SSL VPN 4-85
username attribute for Clientless SSL VPN 4-98
posture validation
exemptions 7-11
revalidation timer 7-10
uses, requirements, and limitations 7-1
PPPoE, configuring 9-1 to 9-5
pre-shared key, Easy VPN client on the ASA 5505 8-7
printers 8-8
privilege level, username, setting 4-88
proxy
See e-mail proxy
proxy bypass 17-17
R
reboot, waiting until active sessions end 1-16
redundancy, in site-to-site VPNs, using crypto maps 1-37
remote access
IPSec tunnel group, configuring 4-8
restricting 4-92
tunnel group, configuring default 4-7
VPN, configuring 6-1, 6-15
remote management, ASA 5505 8-9
revalidation timer, Network Admission Control 7-10
rewrite, disabling 17-16
S
SAs, lifetimes 1-31
secure unit authentication 8-12
secure unit authentication, group policy 4-64
security, WebVPN 19-5
Security Agent, Cisco 4-76
security association
clearing 1-38
See also SAs
security attributes, group policy 4-61
SHA, IKE policy keywords (table) 1-9, 1-10
showing cached Kerberos tickets 16-7
showing KCD status 16-6
simultaneous logins, username attribute 4-89
single sign-on
See SSO
single-signon
group policy attribute for Clientless SSL VPN 4-86
username attribute for Clientless SSL VPN 4-100
site-to-site VPNs, redundancy 1-37
smart tunnels 17-4
split tunneling
ASA 5505 as Easy VPN client 8-8
group policy 4-51
group policy, domains 4-55
SSL
certificate 15-25
used to access the security appliance 15-21
SSL/TLS encryption protocols
configuring 15-25
SSL VPN Client
compression 11-18
DPD 11-16
enabling
permanent installation 11-8
installing
order 11-7
keepalive messages 11-17
viewing sessions 11-20
sso-server
group policy attribute for Clientless SSL VPN 4-86
username attribute for Clientless SSL VPN 4-100
SSO with WebVPN 19-5 to ??
configuring HTTP Basic and NTLM authentication 19-6
configuring HTTP form protocol 19-12
configuring SiteMinder 19-7, 19-10
Sun Microsystems Java™ Runtime Environment (JRE) and Clientless SSL VPN 18-6
Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 15-9
SVC
See SSL VPN Client
Sygate Personal Firewall 4-76
T
TCP
ASA 5505 as Easy VPN client 8-4
TLS1, used to access the security appliance 15-21
toolbar, floating, WebVPN 19-3, 21-3
transform set
creating 6-1, 6-10
definition 1-19
Trusted Flow Acceleration
failover 2-8
modes 2-8
trustpoint, ASA 5505 client 8-7
tunnel
ASA 5505 as Easy VPN client 8-5
IPsec 1-19
security appliance as a tunnel endpoint 1-2
tunnel group
ASA 5505 as Easy VPN client 8-7
configuring 4-6
creating 4-8
default 1-18, 4-1, 4-2
default, remote access, configuring 4-7
default LAN-to-LAN, configuring 4-17
definition 4-1, 4-2
general parameters 4-3
inheritance 4-1
IPSec parameters 4-4
LAN-to-LAN, configuring 4-17
name and type 4-8
remote access, configuring 6-11
remote-access, configuring 4-8
tunnel-group
general attributes 4-3
tunnel-group ISAKMP/IKE keepalive settings 4-4
tunneling, about 1-1
tunnel mode 2-2
U
url-list
group policy attribute for Clientless SSL VPN 4-83
username attribute for Clientless SSL VPN 4-97
user, VPN
definition 4-1
user access, restricting remote 4-92
user authentication, group policy 4-65
username
clientless authentication 7-14
Clientless SSL VPN 18-1
management tunnels 8-9
WebVPN 19-22
Xauth for Easy VPN client 8-4
username attributes
access hours 4-89
configuring 4-87, 4-88
group-lock 4-92
inheritance 4-89
password, setting 4-88
password-storage 4-93
privilege level, setting 4-88
simultaneous logins 4-89
vpn-filter 4-90
vpn-framed-ip-address 4-91
vpn-idle timeout 4-90
vpn-session-timeout 4-90
vpn-tunnel-protocol 4-92
username attributes for Clientless SSL VPN
auto-signon 4-99
customization 4-95
deny message 4-96
filter (access list) 4-96
homepage 4-95
html-content-filter 4-94
keep-alive ignore 4-99
port-forward 4-98
port-forward-name 4-98
sso-server 4-100
url-list 4-97
username configuration, viewing 4-87
username webvpn mode 4-93
U-turn 1-27
V
virtual cluster 3-7
IP address 3-7
master 3-7
VLAN mapping 4-44
VPN
address pool, configuring (group-policy) 4-41
parameters, general, setting 3-1
setting maximum number of IPSec sessions 3-3
VPN Client, IPsec attributes 1-2
vpn-filter username attribute 4-90
vpn-framed-ip-address username attribute 4-91
VPN hardware client, group policy attributes 4-64
vpn-idle-timeout username attribute 4-90
vpn load balancing
See load balancing 3-7
vpn-session-timeout username attribute 4-90
vpn-tunnel-protocol username attribute 4-92
W
web browsing with Clientless SSL VPN 18-4
web e-Mail (Outlook Web Access), Outlook Web Access 16-15
WebVPN
authenticating with digital certificates 19-21, 19-22
client application requirements 19-23
client requirements 19-23
configuring
e-mail 16-14
configuring WebVPN and ASDM on the same interface 15-22
defining the end-user interface 19-1, 21-1
definition 14-1
e-mail 16-14
e-mail proxies 16-14
end user set-up 21-1
floating toolbar 19-3, 21-3
group policy attributes, configuring 17-2
hosts file 22-2
hosts files, reconfiguring 22-2
Java object signing 17-16
security preautions 19-5
security tips 19-23
setting HTTP/HTTPS proxy 15-23
supported applications 19-23
troubleshooting 22-1
use of HTTPS 15-22
usernames and passwords 19-22
use suggestions 18-2, 19-23, 21-1
WebVPN, Application Access Panel 19-2, 21-2
webvpn attributes
group policy 4-79
welcome message, group policy 4-41
WINS server, configuring 4-50
X
Xauth, Easy VPN client 8-4
Z
Zone Labs firewalls 4-76
Zone Labs Integrity Server 4-73
Index
A
AAA
addressing, configuring 5-5
Access Control Server 7-4, 7-13
access hours, username attribute 4-89
accessing the security appliance using SSL 15-21
accessing the security appliance using TKS1 15-21
access list filter, username attribute 4-90
access lists
exemptions from posture validation 7-11
group policy WebVPN filter 4-83
IPsec 1-29
Network Admission Control, default 7-10
username for Clientless SSL VPN 4-96
Active Directory, settings for password management 4-28
Active Directory procedures 13-2 to ??
Advanced Encryption Standard (AES) 1-10
application access
and e-mail proxy 18-7
and Web Access 18-7
configuring client applications 18-6
enabling cookies on browser 18-6
privileges 18-6
quitting properly 18-6
setting up on client 18-6
using e-mail 18-7
with IMAP client 18-7
Application Access Panel, WebVPN 19-2, 21-2
application access using Clientless SSL VPN
group policy attribute for Clientless SSL VPN 4-84
username attribute for Clientless SSL VPN 4-98
application access using WebVPN
and hosts file errors 22-1
quitting properly 22-2
Application Profile Customization Framework 16-8
ASA 5505
client
authentication 8-12
configuration restrictions, table 8-2
device pass-through 8-8
group policy attributes pushed to 8-10
mode 8-3
remote management 8-9
split tunneling 8-8
TCP 8-4
trustpoint 8-7
tunnel group 8-7
tunneling 8-5
Xauth 8-4
server (headend) 8-1
attributes
username 4-88
attribute-value pairs (AVP) 4-36
authentication
ASA 5505 as Easy VPN client 8-12
WebVPN users with digital certificates 19-21, 19-22
auto-signon
group policy attribute for Clientless SSL VPN 4-82
username attribute for Clientless SSL VPN 4-99
B
backup server attributes, group policy 4-67
banner message, group policy 4-41
before configuring KCD 16-4
Black Ice firewall 4-76
bypass authentication 8-8
C
cached Kerberos tickets
clearing 16-7
showing 16-7
caching 17-18
cascading access lists 1-23
certificate
authentication, e-mail proxy 16-14
group matching
configuring 1-16, 1-17
rule and policy, creating 1-17
Cisco Integrated Firewall 4-76
Cisco Security Agent 4-76
Cisco Trust Agent 7-13
clearing cached Kerberos tickets 16-7
client
VPN 3002 hardware, forcing client update 3-4
Windows, client update notification 3-4
client access rules, group policy 4-77
client firewall, group policy 4-71
clientless authentication 7-13
Clientless SSL VPN
client application requirements 18-2
client requirements 18-2
for file management 18-5
for network browsing 18-5
for web browsing 18-4
start-up 18-3
configuring for specific users 4-93
enable cookies for 18-6
printing and 18-3
remote requirements
for port forwarding 18-6
for using applications 18-6
remote system configuration and end-user requirements 18-3
security tips 18-2
supported applications 18-2
supported browsers 18-3
supported types of Internet connections 18-3
URL 18-3
username and password required 18-3
usernames and passwords 18-1
client mode 8-3
client update, performing 3-4
cluster
IP address, load balancing 3-7
load balancing configurations 3-10
mixed scenarios 3-11
virtual 3-7
connect time, maximum, username attribute 4-90
content transformation, WebVPN 17-15
CRACK protocol 1-39
crypto map
acccess lists 1-29
applying to interfaces 1-29, 10-11
clearing configurations 1-38
creating an entry to use the dynamic crypto map 6-13
definition 1-19
dynamic 1-35
dynamic, creating 6-12
entries 1-19
examples 1-30
policy 1-21
crypto show commands table 1-37
custom firewall 4-76
customization, Clientless SSL VPN
group policy attribute 4-80
login windows for users 4-27
username attribute 4-95
username attribute for Clientless SSL VPN 4-24
D
default
DefaultL2Lgroup 4-1
DefaultRAgroup 4-1
domain name, group policy 4-54
group policy 4-1, 4-8, 4-36
LAN-to-LAN tunnel group 4-17
remote access tunnel group, configuring 4-7
tunnel group 1-18, 4-2
deny in a crypto map 1-23
deny-message
group policy attribute for Clientless SSL VPN 4-81
username attribute for Clientless SSL VPN 4-96
DES, IKE policy keywords (table) 1-9, 1-10
device pass-through, ASA 5505 as Easy VPN client 8-8
DfltGrpPolicy 4-37
DHCP
addressing, configuring 5-6
DHCP Intercept, configuring 4-55
Diffie-Hellman
Group 5 1-9, 1-11
groups supported 1-9, 1-11
digital certificates
authenticating WebVPN users 19-21, 19-22
SSL 15-25
disabling content rewrite 17-16
DNS
server, configuring 4-50
domain attributes, group policy 4-54
dynamic crypto map 1-35
creating 6-12
See also crypto map
E
Easy VPN
client
authentication 8-12
configuration restrictions, table 8-2
enabling and disabling 8-1
group policy attributes pushed to 8-10
mode 8-3
remote management 8-9
trustpoint 8-7
tunnels 8-9
Xauth 8-4
server (headend) 8-1
Easy VPN client
ASA 5505
device pass-through 8-8
split tunneling 8-8
TCP 8-4
tunnel group 8-7
tunneling 8-5
egress VLAN for VPN sessions 4-44
e-mail
configuring for WebVPN 16-14
proxies, WebVPN 16-14
proxy, certificate authentication 16-14
WebVPN, configuring 16-14
e-mail proxy
and Clientless SSL VPN 18-7
end-user interface, WebVPN, defining 19-1, 21-1
external group policy, configuring 4-39
F
failover
Trusted Flow Acceleration 2-8
filter (access list)
group policy attribute for Clientless SSL VPN 4-83
username attribute for Clientless SSL VPN 4-96
firewall
Black Ice 4-76
Cisco Integrated 4-76
Cisco Security Agent 4-76
custom 4-76
Network Ice 4-76
none 4-76
Sygate personal 4-76
Zone Labs 4-76
firewall policy, group policy 4-71
fragmentation policy, IPsec 1-15
G
general attributes, tunnel group 4-3
general parameters, tunnel group 4-3
general tunnel-group connection parameters 4-3
global e-mail proxy attributes 16-14
global IPsec SA lifetimes, changing 1-31
group-lock, username attribute 4-92
group policy
address pools 4-41
backup server attributes 4-67
client access rules 4-77
configuring 4-39
default domain name for tunneled packets 4-54
definition 4-1, 4-36
domain attributes 4-54
Easy VPN client, attributes pushed to ASA 5505 8-10
external, configuring 4-39
firewall policy 4-71
hardware client user idle timeout 4-65
internal, configuring 4-40
IP phone bypass 4-66
IPSec over UDP attributes 4-63
LEAP Bypass 4-66
network extension mode 4-67
security attributes 4-61
split tunneling attributes 4-51
split-tunneling domains 4-55
user authentication 4-65
VPN hardware client attributes 4-64
webvpn attributes 4-79
WINS and DNS servers 4-50
group policy, default 4-36
group policy, secure unit authentication 4-64
group policy attributes for Clientless SSL VPN
application access 4-84
auto-signon 4-82
customization 4-80
deny-message 4-81
filter 4-83
home page 4-82
html-content filter 4-81
keep-alive-ignore 4-85
port forward 4-84
port-forward-name 4-85
sso-server 4-86
url-list 4-83
Group Policy window
add or edit, General tab 5-5
H
hairpinning 1-27
hardware client, group policy attributes 4-64
HMAC hashing method 1-2, 10-4
hold-period 7-17
homepage
group policy attribute for Clientless SSL VPN 4-82
username attribute for Clientless SSL VPN 4-95
hosts file
errors 22-1
reconfiguring 22-2
WebVPN 22-2
html-content-filter
group policy attribute for Clientless SSL VPN 4-81
username attribute for Clientless SSL VPN 4-94
HTTP compression, Clientless SSL VPN, enabling 4-86, 4-100
HTTP redirection for login, Easy VPN client on the ASA 5505 8-12
HTTPS for WebVPN sessions 15-22
hub-and-spoke VPN scenario 1-27
I
idle timeout
hardware client user, group policy 4-65
username attribute 4-90
ID method for ISAKMP peers, determining 1-13
IKE
benefits 1-2, 10-4
creating policies 1-11
keepalive setting, tunnel group 4-4
pre-shared key, Easy VPN client on the ASA 5505 8-7
See also ISAKMP
IKEv1 1-19
Individual user authentication 8-12
inheritance
tunnel group 4-1
username attribute 4-89
intercept DHCP, configuring 4-55
interfaces
configuring for remote access 6-7
internal group policy, configuring 4-40
Internet Security Association and Key Management Protocol
See ISAKMP
IP addresses
configuring an assignment method for remote access clients 5-1
configuring for VPNs 5-1
configuring local IP address pools 5-3
IP phone 8-8
IP phone bypass, group policy 4-66
IPSec
modes 2-2
over UDP, group policy, configuring attributes 4-63
remote-access tunnel group 4-8
setting maximum active VPN sessions 3-3
IPsec
access list 1-29
basic configuration with static crypto maps 1-32
Cisco VPN Client 1-2
configuring 1-1, 1-18
crypto map entries 1-19
fragmentation policy 1-15
over NAT-T, enabling 1-14
over TCP, enabling 1-15
SA lifetimes, changing 1-31
tunnel 1-19
view configuration commands table 1-37
IPSec parameters, tunnel group 4-4
ipsec-ra, creating an IPSec remote-access tunnel 4-8
ISAKMP
about 1-2
configuring 1-1
determining an ID method for peers 1-13
disabling in aggressive mode 1-13
enabling on the outside interface 6-8
keepalive setting, tunnel group 4-4
See also IKE
J
Java object signing 17-16
K
KCD 16-1, 16-2
before configuring 16-4
KCD status
showing 16-6
keep-alive-ignore
group policy attribute for Clientless SSL VPN 4-85
username attribute for Clientless SSL VPN 4-99
Kerberos tickets
clearing 16-7
showing 16-7
L
L2TP description 2-1
LAN-to-LAN tunnel group, configuring 4-17
Layer 2 Tunneling Protocol 2-1
LDAP
example configuration procedures 13-2 to ??
user authorization 13-13
LEAP Bypass, group policy 4-66
load balancing
cluster configurations 3-10
concepts 3-7
eligible clients 3-9
eligible platforms 3-9
implementing 3-8
mixed cluster scenarios 3-11
platforms 3-9
prerequisites 3-9
login
simultaneous, username attribute 4-89
windows, customizing for users of Clientless SSL VPN sessions 4-27
M
MAC addresses
ASA 5505 device pass-through 8-8
matching, certificate group 1-16, 1-17
maximum active IPSec VPN sessions, setting 3-3
maximum connect time,username attribute 4-90
maximum object size to ignore username attribute for Clientless SSL VPN 4-99
MD5, IKE policy keywords (table) 1-9, 1-10
Microsoft Active Directory, settings for password management 4-28
Microsoft Internet Explorer client parameters, configuring 4-57
Microsoft KCD 16-1, 16-2
mixed cluster scenarios, load balancing 3-11
MSIE client parameters, configuring 4-57
MTU size, Easy VPN client, ASA 5505 8-5
N
NAC
See Network Admission Control
NAT-T
enabling IPsec over NAT-T 1-14
using 1-15
Network Admission Control
ACL, default 7-10
clientless authentication 7-13
configuring 4-68
exemptions 7-11
revalidation timer 7-10
uses, requirements, and limitations 7-1
network extension mode 8-3
network extension mode, group policy 4-67
Network Ice firewall 4-76
Nokia VPN Client 1-39
O
operating systems, posture validation exemptions 7-11
Outlook Web Access (OWA) and Clientless SSL VPN 18-7
P
password
Clientless SSL VPN 18-1
password management, Active Directory settings 4-28
passwords
username, setting 4-88
WebVPN 19-22
password-storage, username attribute 4-93
PAT
Easy VPN client mode 8-3
peers
alerting before disconnecting 1-16
ISAKMP, determining ID method 1-13
performance, optimizing for WebVPN 17-18
permit in a crypto map 1-23
port-forward
group policy attribute for Clientless SSL VPN 4-84
username attribute for Clientless SSL VPN 4-98
Port Forwarding
configuring client applications 18-6
port-forward-name
group policy attribute for Clientless SSL VPN 4-85
username attribute for Clientless SSL VPN 4-98
posture validation
exemptions 7-11
revalidation timer 7-10
uses, requirements, and limitations 7-1
PPPoE, configuring 9-1 to 9-5
pre-shared key, Easy VPN client on the ASA 5505 8-7
printers 8-8
privilege level, username, setting 4-88
proxy
See e-mail proxy
proxy bypass 17-17
R
reboot, waiting until active sessions end 1-16
redundancy, in site-to-site VPNs, using crypto maps 1-37
remote access
IPSec tunnel group, configuring 4-8
restricting 4-92
tunnel group, configuring default 4-7
VPN, configuring 6-1, 6-15
remote management, ASA 5505 8-9
revalidation timer, Network Admission Control 7-10
rewrite, disabling 17-16
S
SAs, lifetimes 1-31
secure unit authentication 8-12
secure unit authentication, group policy 4-64
security, WebVPN 19-5
Security Agent, Cisco 4-76
security association
clearing 1-38
See also SAs
security attributes, group policy 4-61
SHA, IKE policy keywords (table) 1-9, 1-10
showing cached Kerberos tickets 16-7
showing KCD status 16-6
simultaneous logins, username attribute 4-89
single sign-on
See SSO
single-signon
group policy attribute for Clientless SSL VPN 4-86
username attribute for Clientless SSL VPN 4-100
site-to-site VPNs, redundancy 1-37
smart tunnels 17-4
split tunneling
ASA 5505 as Easy VPN client 8-8
group policy 4-51
group policy, domains 4-55
SSL
certificate 15-25
used to access the security appliance 15-21
SSL/TLS encryption protocols
configuring 15-25
SSL VPN Client
compression 11-18
DPD 11-16
enabling
permanent installation 11-8
installing
order 11-7
keepalive messages 11-17
viewing sessions 11-20
sso-server
group policy attribute for Clientless SSL VPN 4-86
username attribute for Clientless SSL VPN 4-100
SSO with WebVPN 19-5 to ??
configuring HTTP Basic and NTLM authentication 19-6
configuring HTTP form protocol 19-12
configuring SiteMinder 19-7, 19-10
Sun Microsystems Java™ Runtime Environment (JRE) and Clientless SSL VPN 18-6
Sun Microsystems Java™ Runtime Environment (JRE) and WebVPN 15-9
SVC
See SSL VPN Client
Sygate Personal Firewall 4-76
T
TCP
ASA 5505 as Easy VPN client 8-4
TLS1, used to access the security appliance 15-21
toolbar, floating, WebVPN 19-3, 21-3
transform set
creating 6-1, 6-10
definition 1-19
Trusted Flow Acceleration
failover 2-8
modes 2-8
trustpoint, ASA 5505 client 8-7
tunnel
ASA 5505 as Easy VPN client 8-5
IPsec 1-19
security appliance as a tunnel endpoint 1-2
tunnel group
ASA 5505 as Easy VPN client 8-7
configuring 4-6
creating 4-8
default 1-18, 4-1, 4-2
default, remote access, configuring 4-7
default LAN-to-LAN, configuring 4-17
definition 4-1, 4-2
general parameters 4-3
inheritance 4-1
IPSec parameters 4-4
LAN-to-LAN, configuring 4-17
name and type 4-8
remote access, configuring 6-11
remote-access, configuring 4-8
tunnel-group
general attributes 4-3
tunnel-group ISAKMP/IKE keepalive settings 4-4
tunneling, about 1-1
tunnel mode 2-2
U
url-list
group policy attribute for Clientless SSL VPN 4-83
username attribute for Clientless SSL VPN 4-97
user, VPN
definition 4-1
user access, restricting remote 4-92
user authentication, group policy 4-65
username
clientless authentication 7-14
Clientless SSL VPN 18-1
management tunnels 8-9
WebVPN 19-22
Xauth for Easy VPN client 8-4
username attributes
access hours 4-89
configuring 4-87, 4-88
group-lock 4-92
inheritance 4-89
password, setting 4-88
password-storage 4-93
privilege level, setting 4-88
simultaneous logins 4-89
vpn-filter 4-90
vpn-framed-ip-address 4-91
vpn-idle timeout 4-90
vpn-session-timeout 4-90
vpn-tunnel-protocol 4-92
username attributes for Clientless SSL VPN
auto-signon 4-99
customization 4-95
deny message 4-96
filter (access list) 4-96
homepage 4-95
html-content-filter 4-94
keep-alive ignore 4-99
port-forward 4-98
port-forward-name 4-98
sso-server 4-100
url-list 4-97
username configuration, viewing 4-87
username webvpn mode 4-93
U-turn 1-27
V
virtual cluster 3-7
IP address 3-7
master 3-7
VLAN mapping 4-44
VPN
address pool, configuring (group-policy) 4-41
parameters, general, setting 3-1
setting maximum number of IPSec sessions 3-3
VPN Client, IPsec attributes 1-2
vpn-filter username attribute 4-90
vpn-framed-ip-address username attribute 4-91
VPN hardware client, group policy attributes 4-64
vpn-idle-timeout username attribute 4-90
vpn load balancing
See load balancing 3-7
vpn-session-timeout username attribute 4-90
vpn-tunnel-protocol username attribute 4-92
W
web browsing with Clientless SSL VPN 18-4
web e-Mail (Outlook Web Access), Outlook Web Access 16-15
WebVPN
authenticating with digital certificates 19-21, 19-22
client application requirements 19-23
client requirements 19-23
configuring
e-mail 16-14
configuring WebVPN and ASDM on the same interface 15-22
defining the end-user interface 19-1, 21-1
definition 14-1
e-mail 16-14
e-mail proxies 16-14
end user set-up 21-1
floating toolbar 19-3, 21-3
group policy attributes, configuring 17-2
hosts file 22-2
hosts files, reconfiguring 22-2
Java object signing 17-16
security preautions 19-5
security tips 19-23
setting HTTP/HTTPS proxy 15-23
supported applications 19-23
troubleshooting 22-1
use of HTTPS 15-22
usernames and passwords 19-22
use suggestions 18-2, 19-23, 21-1
WebVPN, Application Access Panel 19-2, 21-2
webvpn attributes
group policy 4-79
welcome message, group policy 4-41
WINS server, configuring 4-50
X
Xauth, Easy VPN client 8-4
Z
Zone Labs firewalls 4-76
Zone Labs Integrity Server 4-73