-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Remote Access VPN user interface pages are used to configure remote access VPNs on Cisco IOS security routers, PIX Firewalls, Catalyst 6500 /7600 devices, and Adaptive Security Appliance (ASA) devices.
This chapter contains the following topics:
•Remote Access VPN Configuration Wizard
•ASA Cluster Load Balance Page
•Connection Profiles Page (ASA)
•Public Key Infrastructure Page
•Certificate to Connection Profile Maps > Policies Page
•Certificate to Connection Profile Maps > Rules Page
•SSL VPN Shared License (ASA 8.2) Page
Use the Remote Access VPN Configuration wizard to configure your device with policies that enable it to act as a remote access SSL or IPSec VPN server.
Navigation Path
(Device view only) Select the desired device, and then select Remote Access VPN > Configuration Wizard from the Policy selector.
Note The Remote Access VPN Configuration wizard is available only from Device view.
Related Topics
•Using the Remote Access VPN Configuration Wizard, page 10-8
Field Reference
|
|
---|---|
Remote Access SSL VPN |
Click this radio button to choose SSL as the type of remote access VPN to create. The wizard takes you through appropriate steps depending on the type of device selected: •ASA device b. Connection Profile Page (ASA) •IOS device a. Gateway and Context Page (IOS) |
Remote Access IPSec VPN |
Click this radio button to choose IPSec as the type of remote access VPN to create. The wizard takes you through appropriate steps depending on the type of device selected: •ASA device a. IPSec VPN Connection Profile Page (ASA) •IOS device |
Remote Access Configuration Wizard button |
Click this button to start the configuration wizard. |
Use the Access page of the SSL VPN Configuration Wizard to configure the security appliance interfaces for SSL VPN sessions, select a port for SSL VPN connection profiles, and specify the URLs that will be displayed on the Portal page to access the connection profiles.
Navigation Path
(Device View Only) Open the Remote Access VPN Configuration Wizardfor configuring a remote access SSL VPN on an ASA device. The Access page is the first page that appears.
Related Topics
•Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices), page 10-10
•Understanding Interface Role Objects, page 8-33
•Creating Port List Objects, page 8-72
Field Reference
|
|
---|---|
Interfaces to Enable SSL VPN Service |
Interfaces on which you want to enable the SSL VPN connection profiles. Enter an interface or click Select to display an Object Selectors, page F-205. |
Port Number |
Port number to use for the SSL VPN sessions. Enter a port number or click Select to display an Object Selectors, page F-205. The default port is 443, for HTTPS traffic. The port number can be 443, or within the range of 1024-65535. If you change the port number, all current SSL VPN connections terminate, and current users must reconnect. Note If HTTP port redirection is enabled, the default HTTP port number is 80. |
Portal Page URLs |
URLs that will be displayed on the Portal page to access the SSL VPN connection profile. |
Allow Users to Select Connection Profile in Portal Page |
When selected, enables the user to select a tunnel group at login from a list of tunnel group connection profiles configured on the device. This is the default setting. |
Enable AnyConnect Access |
When selected, enables the AnyConnect functionality on the ASA device. Note To enable AnyConnect Essentials, go to Remote Access VPN > SSL VPN > Access. For details, see Configuring an Access Policy, page 10-44. |
Use the Connection Profile page in the SSL VPN Configuration wizard to configure the tunnel group policies on your security appliance. You can specify a name for the tunnel connection profile policy that you are adding, select the user group policy, specify address pools for this policy, and specify authentication server group settings.
Navigation Path
(Device view only) Open the Remote Access VPN Configuration Wizardfor configuring a remote access SSL VPN on an ASA device; then click Next until you reach this page.
Related Topics
•Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices), page 10-10
•Creating ASA User Group Objects, page 8-28
•Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 8-79
•Understanding Network/Host Objects, page 8-65
•Understanding AAA Server and Server Group Objects, page 8-15
Field Reference
|
|
---|---|
Connection Profile Name |
Name of the tunnel group that contains the policies for this SSL VPN connection profile. Enter a descriptive name. |
Group Policy |
Default ASA user group associated with the device. Enter an ASA user group policy or click Select to display an Object Selectors, page F-205. |
Full Tunnel |
Read-only field that indicates whether full tunnel access mode is configured for the user group. |
Group Policies |
Names of the ASA user group policies that will be used in your SSL VPN connection profile and whether Full Tunnel access mode is enabled or disabled for them. Click Edit to define a list using an Object Selectors, page F-205. Note All SSL VPN connection profiles on an ASA device share one group policy. Each time you create a connection profile using the wizard, the Group Policies list may be populated with data from the previous connection profile defined on the device. |
Portal Page Customization |
Customization profile that defines the appearance of portal pages and resources available to remote access users on the SSL VPN network. Enter the name of a profile or click Select to display an Object Selectors, page F-205. Note You can set up different login windows for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create an SSL VPN tunnel group called sales that uses that customization profile. |
Connection URL |
URL of the connection profile. This URL provides users with direct access to the customized portal page. Select a protocol (http or https) from the list and specify the URL, including host name or IP address of the ASA device and port number and the alias used to identify the SSL VPN connection profile. Note If you do not specify a URL, you can access the portal page by entering the portal page URL, and then selecting the connection profile alias from a list of configured connection profile aliases configured on the device. See Access Page (ASA). |
Global IP Address Pool |
Address pools from which IP addresses will be assigned. Enter the name of an address pool or click Select to display an Object Selectors, page F-205. The server uses these pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You can specify up to 6 pools. |
Authentication Server Group |
Name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Enter the name or click Select to display an Object Selectors, page F-205. |
User LOCAL if Server Group Fails |
Note Available if you selected LOCAL for the authentication server group. When selected, enables fallback to the local database for authentication if the selected authentication server group fails. |
Authorization Server Group |
Name of the authorization server group (LOCAL if the tunnel group is configured on the local device). Enter the name or click Select to display an Object Selectors, page F-205. |
Accounting Server Group |
Name of the accounting server group. Enter the name or click Select to display an Object Selectors, page F-205. |
Use this page to select the user group(s) that will be used in your SSL VPN connection.
Navigation Path
Depends on the type of device selected:
•(IOS device) From the Gateway and Context Page (IOS), click Edit in the Group Policies field.
•(ASA device) From the Connection Profile Page (ASA), click Edit in the Group Policies field.
Related Topics
•Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 10-8
•Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices), page 10-10
Field Reference
|
|
---|---|
Available User Groups |
Lists predefined user groups available for selection. Select the required user group(s) and click >>. If the required user group is not listed, click Create to create a user group. See Create User Group Wizard. To modify the properties of a user group, select it and click Edit. |
Selected User Groups |
Lists the selected user groups. To remove user group(s) from this list, select them and click <<. To modify the properties of a user group, select it and click Edit. Note To specify a user group as the default user group, select it and click Set As Default. This option is only available for IOS routers. |
>> button |
Click this button to move selected user group(s) from the Available User Groups list to the Selected User Groups list. |
<< button |
Click this button to move selected user group(s) from the Selected User Groups list to the Available User Groups list. |
Use the Create User Group wizard to create a user group that will be configured on an IOS router or ASA device in your SSL VPN connection.
Navigation Path
From the User Groups Selector Page, click Create or select an item from one of the lists and click Edit.
This section contains the following topics:
•Clientless and Thin Client Access Modes Page
Use this step of the Create User Group wizard to define a name for your user group, and optionally, select the remote access method(s) that will be used to access the SSL-enabled gateway (IOS router) or ASA security appliance.
Navigation Path
In the User Groups Selector Page, click Create.
Related Topics
•SSL VPN Access Modes, page 10-4
•Clientless and Thin Client Access Modes Page
Field Reference
Note This dialog box is only available if you selected the Full Client option in the Name and Access Method Page of the Create User Group wizard.
In this dialog box, you can configure the mode used to access the corporate network.
Navigation Path
Open the Create User Group Wizard, select the Full Client access method option, and then click Next.
Related Topics
•SSL VPN Access Modes, page 10-4
Field Reference
|
|
---|---|
Use Other Access Modes if SSL VPN Client Download Fails |
When selected, enables the remote client to use clientless or thin client access modes if the SVC download fails. |
Full Tunnel |
When selected, enables the Full Tunnel access mode to be configured. Note For the Full Tunnel access mode to work properly, the SSL VPN Client (SVC) software must be installed on the device. |
Client IP Address Pools |
Note Available only if the selected device is an IOS router. IP address pools that clients draw from when they log on. Enter the IP address pools or click Select to display an Object Selectors, page F-205. |
Primary DNS Server |
IP address of the primary DNS server to be used for Full Client SSL VPN connections. Enter the IP address or click Select to display an Object Selectors, page F-205. |
Secondary DNS Server |
IP address of a secondary DNS server to be used for Full Client SSL VPN connections. Enter the IP address or click Select to display an Object Selectors, page F-205. |
Default DNS Domain |
Domain name of the DNS server to be used for Full Client SSL VPN connections. |
Primary WINS Server |
IP address of the primary WINS server to be used for Full Client SSL VPN connections. Enter the IP address or click Select to display an Object Selectors, page F-205. |
Secondary WINS Server |
IP address of a secondary WINS server to be used for Full Client SSL VPN connections. Enter the IP address or click Select to display an Object Selectors, page F-205. |
Split Tunnel Option |
Specifies the traffic that will be transmitted secured or unsecured across the public network: •Disabled—Split tunneling is disabled and no traffic will be secured. •Exclude Specified Networks—Split tunneling is enabled, and traffic to or from networks specified in the Networks field is transmitted unsecured. •Tunnel Specified Networks—Split tunneling is enabled, and traffic to or from networks specified in the Networks field is transmitted secured. |
Destinations |
Available if the selected device is an IOS router and split tunneling is enabled. The specified networks to which traffic is transmitted secured or unencrypted, depending on the selected Split Tunneling option. Multiple entries are separated by commas. Accepted formats are: •a.b.c.d where a,b,c,d = 0-255 (host). •a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet). •a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range). •Freeform text that is the name of the network/host object. You can click Select to open the Networks/Hosts Selector from which you can make your selection(s) from a list of available network and host objects. |
Networks |
Note Available if the selected device is an ASA security appliance and split tunneling is enabled. Depending on how you configured the Split Tunnel Option, list of networks whose traffic is to be transmitted unsecured or secured (through a tunnel): •If you selected Exclude Specified Networks, enter the networks whose traffic is transmitted unsecured or click Select to display an Object Selectors, page F-205. •If you selected Tunnel Specified Networks, enter the networks whose traffic will be transmitted secured (through a tunnel) or click Select to display an Object Selectors, page F-205. |
Exclude Local LANs |
Note Available if the selected device is an IOS router and split tunneling is enabled. When selected, disallows a non split-tunneling connection to access the local subnetwork at the same time as the client. |
Split DNS Names |
List of domain names that must be tunneled or resolved to the private network. All other names will be resolved using the public DNS server. |
In the Clientless and Thin Client page of the Create User group wizard, you can configure the Clientless and/or Thin Client modes to be used for accessing the corporate network in your SSL VPN.
Note This page is only available if you selected the Clientless and/or Thin Client options in step 1 of the Create User Group wizard (Name and Access Method Page).
Navigation Path
Open the Create User Group Wizard, select the Clientless and/or Thin Client access method options, and then click Next.
Related Topics
•SSL VPN Access Modes, page 10-4
•Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 8-84
•Creating Port Forwarding List Objects, page 8-71
Field Reference
A gateway and context must be configured on a device before a remote user can access resources on a private network behind the SSL VPN. Use this step of the SSL VPN Configuration wizard to specify a gateway and context configuration, including information that will allow users to access a portal page.
Navigation Path
(Device view) Open the Remote Access VPN Configuration Wizardfor configuring a remote access SSL VPN on an IOS device. The Gateway and Context page is the first page that appears.
Related Topics
•Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 10-8
•Creating SSL VPN Gateway Objects, page 8-90
•Creating Port List Objects, page 8-72
•Understanding AAA Server and Server Group Objects, page 8-15
Field Reference
|
|
---|---|
Gateway |
Gateway to be used as a proxy for connections to the protected resources in your SSL VPN. Options are: •Use Existing Gateway—When selected, enables you to use an existing gateway for your SSL VPN. •Create Using IP Address—When selected, enables you to configure a new gateway using a reachable (public static) IP address on the router. •Create Using Interface—When selected, enables you to configure a new gateway using the public static IP address of the router interface. |
Gateway Name |
Name of the gateway. Enter a gateway name or click Select to display an Object Selectors, page F-205. Note After selecting the gateway, the port number and digital certificate required to establish a secure connection are displayed in the relevant fields. |
Port |
Note Available only if you selected to create a gateway using the router's IP address or interface. Number of the port that will carry the HTTPS traffic (between 1024 and 65535). The default is 443, unless HTTP port redirection is enabled, in which case the default HTTP port number is 80. Specify the port number or click Select to display an Object Selectors, page F-205. |
Trustpoint |
Note Available only if you selected to create a new gateway using the router's IP address or interface. Digital certificate required to establish a secure connection. If you need to configure a specific CA certificate, a self-signed certificate is generated when an SSL VPN gateway is activated. All gateways on the router can use the same certificate. |
Context Name |
Name of the context that identifies the resources needed to support the SSL VPN tunnel between the remote clients and the corporate or private intranet. |
Portal Page URL |
URL that is displayed on the Portal page to access the SSL VPN gateway. |
Group Policies |
Names of the group policies used in your SSL VPN connection, and whether Full Tunnel access mode is enabled or disabled for them. Enter a group policy name or click Edit to open the User Groups Selector Page. |
Authentication Server Group |
Name of the authentication server group (LOCAL if the users are defined on the local device). Enter an authentication server group name or click Select to display an Object Selectors, page F-205. |
Authentication Domain |
Specifies a list or method for SSL VPN remote user authentication. Note If you do not specify a list or method, the SSL VPN gateway uses global AAA parameters for remote-user authentication. |
Accounting Server Group |
Name of the accounting server group. Enter an accounting server group name or click Select to display an Object Selectors, page F-205. |
Use this step of the SSL VPN Configuration wizard to define the appearance of the portal page that remote users see when connecting to the SSL VPN. The portal page allows remote users access to all websites available on the SSL VPN networks.
Navigation Path
(Device view) Open the Remote Access VPN Configuration Wizardfor configuring a remote access SSL VPN on an IOS device; then click Next until you reach this page.
Related Topics
•Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 10-8
Field Reference
Use the Connection Profile page to configure the connection profile policies on your security appliance. You can specify a name for the connection profile policy that you are adding, select the user group policy, specify address pools for this policy, and specify authentication, authorization, and accounting server group settings.
Navigation Path
(Device view) Open the Remote Access VPN Configuration Wizardfor configuring a remote access IPsec VPN on an ASA device. The IPSec Connection Profile page is the first page that appears.
Related Topics
•Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices), page 10-12
Field Reference
|
|
---|---|
Connection Profile Name |
Name of the connection profile that contains the policies for this IPSec VPN connection profile. |
Group Policy |
Default group policy associated with the device. Enter a name or click Select to display an Object Selectors, page F-205. |
Global IP Address Pool |
Address pools from which IP addresses are assigned. The server uses these address pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You can specify up to 6 pools. Enter the name of a Network object or click Select to display an Object Selectors, page F-205. |
Authentication Server Group |
Name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Enter a name or click Select to display an Object Selectors, page F-205. |
User LOCAL if Server Group Fails |
Available if you selected LOCAL for the authentication server group. When selected, enables fallback to the local database for authentication if the selected authentication server group fails. |
Authorization Server Group |
Name of the authorization server group (LOCAL if the tunnel group is configured on the local device). Enter a name or click Select to display an Object Selectors, page F-205. |
Accounting Server Group |
Name of the accounting server group. Enter a name or click Select to display an Object Selectors, page F-205. |
Use the IPSec Settings page of the IPSec VPN Configuration Wizard to configure IPSec settings on your security appliance.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizardfor configuring a remote access IPsec VPN on an ASA device; then click Next until you reach this page.
Related Topics
•Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices), page 10-12
Field Reference
|
|
---|---|
Preshared Key |
The value of the preshared key for the tunnel group. The maximum length of a preshared key is 127 characters. Note You must retype this value in the Confirm field. |
Trustpoint Name |
The trustpoint name if any trustpoints are configured. A trustpoint represents a CA/identity pair and contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. |
IKE Peer ID Validation |
Select whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate. During IKE negotiations, peers must identify themselves to one another. |
Enable Sending Certificate Chain |
When selected, enables the sending of the certificate chain for authorization. A certificate chain includes the root CA certificate, identity certificate, and key pair. |
Enable Password Update with RADIUS Authentication |
When selected, enables passwords to be updated with the RADIUS authentication protocol. For more information, see Supported AAA Server Types, page 8-16. |
|
|
Monitor Keepalive |
When selected, enables you to configure IKE keepalive as the default failover and routing mechanism. For more information, see Understanding ISAKMP/IPsec Settings, page 9-52. |
Confidence Interval |
The number of seconds that a device waits between sending IKE keepalive packets. |
Retry Interval |
The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds. |
|
|
All Windows Platforms |
When selected, enables you to configure the specific revision level and image URL of the VPN client on all Windows platforms. |
Windows 95/98/ME |
When selected, enables you to configure the specific revision level and image URL of the VPN client on Windows 95/98/ME platforms. |
Windows NT4.0/2000/XP |
When selected, enables you to configure the specific revision level and image URL of the VPN client on NT4.0/2000/XP platforms. |
VPN3002 Hardware Client |
When selected, enables you to configure the specific revision level and image URL of the VPN3002 hardware client. |
The VPN Defaults page of the Remote Access IPSec Configuration Wizard displays all the available policy types that can be assigned to your device. For each policy type, you can assign either the factory default policy (a private policy), or a shared policy that you created using Security Manager. When you click Finish, the selected policies are assigned to your device.
To assign a policy that is not listed, you can change the policy defaults selection in the VPN Policy Defaults page (Tools > Security Manager Administration > VPN Policy Defaults). On this page, you can view the default policies available for assignment to remote access VPN devices. These include the factory defaults, in addition to any shared VPN policies that you created and submitted or approved (depending on the workflow mode), with Security Manager.
Note In Policy view, you can view all shared policies that were defined for each policy type in a remote access VPN, edit individual policies, and modify their device assignments. For more information, see Managing Shared Policies in Policy View, page 6-35.
Note Default policies are not available for user group and connection profile policies. You must define a user group policy (or connection profile policy for ASA devices and PIX Firewalls version 7.0) each time you configure your remote access VPN server.
If you try to select a default policy that is locked by another user, a warning is displayed. You can change the default in the VPN Defaults page of the wizard in order to bypass the lock, or you can just cancel the configuration of your device until the lock is approved. For more information, see Understanding Locking, page 6-7.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizardfor configuring a remote access IPSec VPN on an ASA device; then click Next until you reach this page.
Related Topics
•Creating IPSec VPNs Using the Remote Access VPN Configuration wizard (ASA Devices), page 10-12
Field Reference
Use the User Group Policy page to specify user groups for your remote access IPSec VPN server.
Note The User Group Policy page is available if the selected device is a Cisco IOS router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizardfor configuring a remote access IPSec VPN on an IOS device; then click Next until you reach this page.
Related Topics
•Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 10-10
•Creating User Group Objects, page 8-94
Field Reference
|
|
---|---|
Available User Groups |
Lists the predefined user groups available for selection. Select the required user groups and click >>. In Security Manager, user groups are objects. If the required user group is not in the list, click Create to open the User Groups Editor dialog box, which enables you to create or edit a user group object. See Add or Edit User Group Dialog Box, page F-187. |
Selected User Groups |
Displays the selected user groups. To remove a user group from this list, select it and click <<. To modify the properties of a user group, select it and click Edit. |
>> button |
Click to move a selected user group from the Available User Groups list to the Selected User Groups list. |
<< button |
Click to remove a selected user group from the Selected User Groups list to the Available User Groups list. |
Save button |
Available only if you opened this page from the Remote Access VPN Policies folder, and if you are authorized to modify this policy. Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. |
The VPN Defaults page of the Remote Access IPSec Configuration Wizard displays all the available policy types that can be assigned to your device. For each policy type, you can assign either the factory default policy (a private policy), or a shared policy that you created using Security Manager.
To assign a policy that is not listed, you can change the policy defaults selection in the VPN Policy Defaults page (Tools > Security Manager Administration > VPN Policy Defaults). On this page, you can view the default policies available for assignment to remote access VPN devices. These include the factory defaults, in addition to any shared VPN policies that you created and submitted or approved (depending on the workflow mode), with Security Manager.
Note In Policy view, you can view all shared policies that were defined for each policy type in a remote access VPN, edit individual policies, and modify their device assignments. For more information, see Managing Shared Policies in Policy View, page 6-35.
Note Default policies are not available for user group and connection profile policies. You must define a user group policy (or connection profile policy for ASA devices and PIX Firewalls version 7.0) each time you configure your remote access VPN server.
If you try to select a default policy that is locked by another user, a warning is displayed. You can change the default in the VPN Defaults page of the wizard in order to bypass the lock, or you can just cancel the configuration of your device until the lock is approved. For more information, see Understanding Locking, page 6-7.
Navigation Path
(Device View) Open the Remote Access VPN Configuration Wizardfor configuring a remote access IPSec VPN on an IOS device; then click Next until you reach this page.
Related Topics
•Creating IPSec VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices), page 10-10
Field Reference
Use the ASA Cluster Load Balance page to enable load balancing for an ASA device in your remote access VPN.
Note Load balancing requires an active 3DES/AES license. The ASA device checks for the existence of this crypto license before enabling load balancing. If it does not detect an active 3DES or AES license, the device prevents load balancing, and also prevents internal configuration of 3DES by the load balancing system.
Navigation Path
•(Device View) Select an ASA device; then select Remote Access VPN > ASA Cluster Load Balance from the Policy selector.
•(Policy View) Select Remote Access VPN > ASA Cluster Load Balance and click the Create button. Enter a name for the policy and click OK.
Related Topics
•Understanding Cluster Load Balancing (ASA), page 10-14
•Configuring Cluster Load Balance Policies (ASA), page 10-15
•Creating Interface Role Objects, page 8-34
•Managing Shared Remote Access VPN Policies in Policy View, page 10-62
Field Reference
|
|
---|---|
VPN Load Balancing |
|
Participate in Load Balancing Cluster |
Select to specify that the device belongs to the load-balancing cluster. |
VPN Cluster Configuration |
|
Cluster IP Address |
The single IP address that represents the entire virtual cluster. The IP address should be in the same subnet as the external interface. |
UDP Port |
The UDP port for the virtual cluster in which the device is participating. If another application is using this port, enter the UDP destination port number that you want to use for load balancing. The default is 9023. |
Enable IPsec Encryption |
Select this check box to ensure that all load-balancing information communicated between the devices is encrypted. When the check box is selected, you must also specify and verify a shared secret. The security appliances in the virtual cluster communicate via LAN-to-LAN tunnels using IPsec. |
IPsec Shared Secret |
The shared secret to be communicated between IPsec peers if you enabled IPsec encryption. This can be a case-sensitive value between 4 and 16 characters, without spaces. |
Priority |
|
Accept default device value |
When selected (the default), accepts the default priority value assigned to the device. |
Configure same priority on all devices in the cluster |
When selected, enables you to configure the same priority value to all the devices in the cluster. The priority indicates the likelihood of this device becoming the virtual cluster master, either at startup or when the existing master fails. Enter a value between 1 and 10. |
VPN Server Configuration |
|
Public interfaces |
The public interfaces to be used on the server. Interfaces are predefined objects. You can click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects. |
Private Interfaces |
The private interfaces to be used on the server. Interfaces are predefined objects. You can click Select to open a dialog box that lists all available interfaces, and sets of interfaces defined by interface roles, in which you can make your selection, or create interface role objects. |
Send FQDN to client instead of an IP address when redirecting |
When selected, enables redirection using a FQDN on an ASA device configured with load balancing. For more information, see Understanding Cluster Load Balancing (ASA), page 10-14. This check box is available only for ASA devices running 8.0.2 or later. |
Save button |
Available only if you are authorized to modify this policy. Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. |
Use the Connection Profiles page to manage VPN connection profile policies on ASA security appliances. The columns in the table summarize the existing policies and are explained in General Tab (ASA).
To manage VPN connection profile policies:
•Click the Add button to add a policy the table.
•Select an entry and click the Edit button to edit an existing entry.
•Select an entry and click the Delete button to delete it.
For more information about the tabs that appear when adding or editing a connection profile, see these topics:
Navigation Path
•(Device View) Select an ASA device; then select Remote Access VPN > Connection Profiles from the Policy selector.
•(Policy View) Select Remote Access VPN > Connection Profiles (ASA) and click the Create button. Enter a name for the policy and click OK.
This section contains the following topics:
Use the General tab of the Add/Edit Connection Profiles dialog box to configure the basic parameters for a VPN Connection Profile policy.
Navigation Path
From the Connection Profiles Page (ASA), click the Add button or select an entry and click the Edit button.
Related Topics
•Configuring Connection Profiles (ASA), page 10-16
•Connection Profiles Page (ASA)
•Creating ASA User Group Objects, page 8-28
•Understanding Network/Host Objects, page 8-65
Field Reference
|
|
---|---|
Connection Profile Name |
The name of the tunnel group that contains the policies for this SSL VPN connection profile. |
Group Policy |
If required, the default user group associated with the device. You can click Select to open the ASA User Groups Selector from which you can select a user group from a list of ASA user group objects. |
|
|
DHCP Servers |
The DHCP servers to be used for client address assignments. The server uses the DHCP servers in the order listed. DHCP servers are predefined network objects. If you want to use a different DHCP server, or select additional DHCP servers, click Select to open the Network/Hosts selector that lists all available network hosts, and in which you can create network host objects. |
Global IP Address Pool |
The address pools from which IP addresses will be assigned. The server uses these pools in the order listed. If all addresses in the first pool have been assigned, it uses the next pool, and so on. You can specify up to 6 pools. Address pools are predefined network objects. You can click Select to open the Network/Hosts selector from which you can make your selection(s). |
Interface-Specific Address Pools |
Contains a list of interfaces with their corresponding address pool assignments. To define additional interface address pool assignments, click Create or to edit existing interface address pool assignments, select an assignment and click Edit. The Add/Edit Interface Specific Client Address Pools dialog box appears. For descriptions of the elements on this dialog box, see Add/Edit Interface Specific Client Address Pools. To remove an assignment, select it and click Delete. |
Use the Add/Edit Interface Specific Client Address Pools dialog box to configure interface-specific client address pools for your SSL VPN connection profile policy.
Navigation Path
Open the General Tab (ASA), then click Create below the Client IP Address Pool table, or select a row in the table and click Edit.
Related Topics
•Connection Profiles Page (ASA)
•Creating Interface Role Objects, page 8-34
•Creating Network/Host Objects, page 8-66
Field Reference
Use the AAA tab of the Add/Edit Connection Profile dialog box to configure the AAA authentication parameters for an SSL VPN connection profile policy.
Navigation Path
From the Connection Profiles Page (ASA), click the Add button or select an entry and click the Edit button; then select the AAA tab.
Related Topics
•Configuring Connection Profiles (ASA), page 10-16
•Connection Profiles Page (ASA)
•Understanding AAA Server and Server Group Objects, page 8-15
Field Reference
|
|
---|---|
Authentication Server Group |
Name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Enter an authentication server group or click Select to display an Object Selectors, page F-205. Note If you want to set the authentication server group per interface, see Add/Edit Interface Specific Authentication Server Groups. |
User LOCAL if Server Group Fails |
Note Available if you selected LOCAL for the authentication server group. When selected, enables fallback to the local database for authentication if the selected authentication server group fails. |
Authorization Server Group |
Name of the authorization server group (LOCAL if the tunnel group is configured on the local device). Enter an authentication server group or click Select to display an Object Selectors, page F-205. |
Exist users check |
When selected, defines that the username of the remote client must exist in the database before a successful connection can be established. If the username does not exist in the authorization database, then the connection is denied. Select this check box if you want the security appliance to allow only users in the authorization database to connect. By default this feature is disabled. You must have a configured authorization server to use this feature. |
Accounting Server Group |
Name of the accounting server group. Enter a name or click Select to display an Object Selectors, page F-205. |
Override Account-Disabled Indication from AAA Server |
When selected, enables you to override the "account-disabled" indicator from an AAA server. This configuration is valid for servers, such as RADIUS with NT LDAP, and Kerberos, that return an "account-disabled" indication. Note If you are using an LDAP directory server for authentication, password management is supported with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server) and the Microsoft Active Directory. |
Enable Notification Upon Password Expiration to Allow User to Change Password |
When selected, enables the security appliance to notify the remote user at login that the current password is about to expire or has expired, then offers the user the opportunity to change the password. Note If you do not also check the Enable Notification Prior to Expiration check box, the security appliance does not notify the user of the pending expiration, but the user can change the password after it expires. |
Enable Notification Prior to Expiration |
Note Available only if you selected the Enable Notification Upon Password Expiration to Allow User to Change Password check box. When selected, enables you to specify the number of days before expiration to warn the user about the pending expiration. If the current password has not yet expired, the user can still log in using that password. This parameter is valid for AAA servers that support such notification—RADIUS, RADIUS with an NT server, and LDAP servers. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured. Note The selection of this check box only enables the notification. You must specify the number of days for it to take effect. |
Notify Prior to Expiration |
Note Available only if you selected the Enable Notification Prior to Expiration check box. Specifies the number of days before the current password expires to notify the user of the pending expiration. The range is 1 through 180 days. |
|
|
Use Entire DN as the Username |
When selected, enables you to use the entire Distinguished Name (DN) as the identifier for the username. A distinguished name (DN) is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a tunnel group. DN rules are used for enhanced certificate authentication on ASA devices. |
Specify Individual DN fields as the Username |
When selected (the default), enables you to use individual DN fields as the username when matching users to the tunnel group. A DN certificate is made up of different field identifiers that can be used to match users to tunnel groups. |
Primary DN Field |
Note Available if you selected to use individual DN fields as the username. Select the primary DN field identifier to be used for identification from the list. The default is UID (User ID). |
Secondary DN Field |
Note Available if you selected to use individual DN fields as the username. Select the secondary DN field identifier to be used for identification. Select None if no secondary field identifier is required. |
Interface-Specific Authentication Server Groups Use this table to associate interfaces with authentication server groups and to enable or disable fallback to the LOCAL database. •To add an interface-specific authentication group to the list, click the Create button. See Add/Edit Interface Specific Authentication Server Groups. •To edit a selected interface-specific authentication group, click the Edit button. See Add/Edit Interface Specific Authentication Server Groups. •To delete selected interface-specific authentication group, click the Delete button. |
Use the Add/Edit Interface Specific Authentication Server Groups dialog box to configure interface-specific authentication for your SSL VPN connection profile policy. This setting overrides the global authentication server group settings configured on the General Tab (ASA).
Navigation Path
Open the AAA Tab (ASA), then click Create below the Interface Specific Authentication Server Groups table, or select a row in the table and click Edit.
Related Topics
•Configuring Connection Profiles (ASA), page 10-16
•Understanding Interface Role Objects, page 8-33
•Understanding AAA Server and Server Group Objects, page 8-15
Field Reference
|
|
---|---|
Interface |
Interface to be associated with the authentication server group. Enter an interface name or click Select to display an Object Selectors, page F-205. |
Server Group |
Server group to be associated with the selected interface. Enter a server group name or click Select to display an Object Selectors, page F-205. |
Use LOCAL if server group fails |
When selected, enables fallback to the LOCAL database if the selected server group fails. |
Use the Secondary AAA tab to configure the secondary AAA authentication parameters for an SSL VPN connection profile policy.
Navigation Path
From the Connection Profiles Page (ASA), click the Add button or select an entry and click the Edit button; then select the Secondary AAA tab.
Related Topics
•Configuring Connection Profiles (ASA), page 10-16
•Connection Profiles Page (ASA)
Field Reference
|
|
---|---|
Enable Double Authentication |
Click this check box to enable the Double Authentication feature on the selected device. |
Secondary Authentication Server Group |
Name of the authentication server group (LOCAL if the tunnel group is configured on the local device). Click Select to open a dialog box that lists all available AAA server groups, and in which you can create AAA server group objects. Note If you want to set the authentication server group per interface, see Add/Edit Interface Specific Authentication Server Groups. |
Use LOCAL if Server Group Fails |
Available if you selected LOCAL for the authentication server group. When selected, enables fallback to the local database for authentication if the selected authentication server group fails. |
Use Primary Username |
When selected, users are prompted for a single login username and two passwords. When left unselected, users are prompted for both a primary and secondary login username and password. |
Username for Session |
Select the username for the session: •Primary—A single username is used for both authentication requests. •Secondary—A unique username is used for both authentication requests. Note By default, if there is more than one username, AnyConnect remembers both usernames between sessions. In addition, the head-end device might offer a feature to allow for admin control over whether the client remembers both or neither usernames. |
Authorization Server |
Select the server from which users are authenticated: •Primary—User is authenticated against credentials stored on the primary server. •Secondary—User is authenticated against credentials stored on the secondary server. |
Distinguished Name (DN)- Secondary Authorization Settings |
Configure the settings as follows: •Use Entire DN as the Username for Secondary Authentication—When selected, enables you to use the entire Distinguished Name (DN) as the identifier for the username for secondary authentication. A distinguished name (DN) is a unique identification, made up of individual fields, that can be used as the identifier when matching users to a tunnel group. DN rules are used for enhanced certificate authentication on ASA devices. •Specify Individual DN fields as the Username for Secondary Authentication—When selected (the default), enables you to use individual DN fields as the username for secondary authentication when matching users to the tunnel group. A DN certificate is made up of different field identifiers that can be used to match users to tunnel groups. •Primary DN Field—Available if you selected to use individual DN fields as the username. Select the primary DN field identifier to be used for identification from the list. The default is UID (User ID). •Secondary DN Field—Available if you selected to use individual DN fields as the username. Select the secondary DN field identifier to be used for identification. Select None if no secondary field identifier is required. |
Secondary Interface-Specific Authentication Server Groups |
List of secondary interface-specific authentication server groups. For detailed information about the elements in this table, see Add/Edit Interface Specific Authentication Server Groups. To add a group to the list, click the Create button. To edit a selected group, click the Edit button. To delete the selected group, click the Delete button. |
Use the Add/Edit Secondary Interface Specific Authentication Server Groups dialog box to configure secondary interface-specific authentication for your SSL VPN connection profile policy.
Navigation Path
Open the Secondary AAA Tab (ASA), then click Create below the Interface Specific Authentication Server Groups table, or select a row in the table and click Edit.
Related Topics
•Connection Profiles Page (ASA)
•Configuring Connection Profiles (ASA), page 10-16
•Understanding Interface Role Objects, page 8-33
Field Reference
Use the IPsec tab of the Connection Profiles page to specify IPsec and IKE parameters for the connection policy.
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > Connection Profiles from the Policy selector.
3. Select the IPSec tab.
Related Topics
•Connection Profiles Page (ASA)
•Configuring Connection Profiles (ASA), page 10-16
Field Reference
|
|
---|---|
Preshared Key |
The value of the preshared key for the connection profile. The maximum length of a preshared key is 127 characters. |
Trustpoint Name |
The trustpoint name if any trustpoints are configured. A trustpoint represents a CA/identity pair and contains the identity of the CA, CA-specific configuration parameters, and an association with one enrolled identity certificate. |
IKE Peer ID Validation |
Select whether IKE peer ID validation is ignored, required, or checked only if supported by a certificate. During IKE negotiations, peers must identify themselves to one another. |
Enable Sending Certificate Chain |
When selected, enables the sending of the certificate chain for authorization. A certificate chain includes the root CA certificate, identity certificate, and key pair. |
Enable Password Update with RADIUS Authentication |
When selected, enables passwords to be updated with the RADIUS authentication protocol. For more information, see Supported AAA Server Types, page 8-16. |
|
|
Monitor Keepalive |
When selected, enables you to configure IKE keepalive as the default failover and routing mechanism. For more information, see Understanding ISAKMP/IPsec Settings, page 9-52. |
Confidence Interval |
The number of seconds that a device waits between sending IKE keepalive packets. |
Retry Interval |
The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds. |
|
|
All Windows Platforms |
When selected, enables you to configure the specific revision level and image URL of the VPN client on all Windows platforms. For more information, see IPSec Client Software Update Dialog Box. |
Windows 95/98/ME |
When selected, enables you to configure the specific revision level and image URL of the VPN client on Windows 95/98/ME platforms. For more information, see IPSec Client Software Update Dialog Box. |
Windows NT4.0/2000/XP |
When selected, enables you to configure the specific revision level and image URL of the VPN client on NT4.0/2000/XP platforms. For more information, see IPSec Client Software Update Dialog Box. |
VPN3002 Hardware Client |
When selected, enables you to configure the specific revision level and image URL of the VPN3002 hardware client. For more information, see IPSec Client Software Update Dialog Box. |
Use the IPsec Client Software Update dialog box to configure the specific revision level and image URL of a VPN client.
Navigation Path
From the IPSec Tab (ASA), select a client type in the Client Software Update table and click Edit.
Related Topics
•Connection Profiles Page (ASA)
•Configuring Connection Profiles (ASA), page 10-16
Field Reference
Use the SSL tab of the Add/Edit Connection Profile dialog box to configure the WINS servers for the connection profile policy, select a customized look and feel for the SSL VPN end-user logon web page, DHCP servers to be used for client address assignment, and establish an association between an interface and client IP address pools.
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > Connection Profiles from the Policy selector.
3. Click Create or Edit.
4. Select the SSL tab.
Related Topics
•Connection Profiles Page (ASA)
•Configuring Connection Profiles (ASA), page 10-16
•Understanding Network/Host Objects, page 8-65
•Configuring ASA Portal Appearance Using SSL VPN Customization Objects, page 8-79
Field Reference
|
|
---|---|
CSD Alternate User Group |
If required, an alternate user group to be applied to the tunnel group. You can click Select to open the ASA User Groups Selector from which you can select a user group from a list of ASA user group objects. |
WINS Servers List |
The name of the WINS (Windows Internet Naming Server) servers list to use for CIFS name resolution. SSL VPN uses the CIFS protocol to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server you specify corresponds to a specific WINS server name that identifies a resource on the network. A WINS servers list defines a list of WINS servers, which are used to translate Windows file server names to IP addresses. The security appliance queries the WINS servers to map WINS names to IP addresses. You must configure at least one, and up to three WINS servers for redundancy. The security appliance uses the first server on the list for WINS/CIFS name resolution. If the query fails, it uses the next server. WINS server lists are predefined objects. If you want to use a different WINS servers list, click Select to open the WINS Server List Selector dialog box that lists all available WINS Servers list objects, and in which you can create WINS Servers list objects. |
DNS Group |
The DNS group to use for the SSL VPN tunnel group. The DNS group resolves the hostname to the appropriate DNS server for the tunnel group. |
Portal Page Customization |
Defines the appearance of the portal page that allows the remote user access to all resources available on the SSL VPN networks. Specify the SSL VPN customization profile in the field provided. Customization profiles are predefined objects. You can click Select to open the SSL VPN Customization Selector dialog box, from which you can make your selection or create customization objects. Note You can set up different login windows for different groups by using a combination of customization profiles and tunnel groups. For example, assuming that you had created a customization profile called salesgui, you can create an SSL VPN tunnel group called sales that uses that customization profile. |
Override SVC Download |
Click this check box if you want clientless users logging in under specific tunnel groups to not have to wait for the download prompt to expire before being presented with the clientless SSL VPN home page. Instead, these users are immediately presented with the clientless SSL VPN home page. |
Reject Radius Message |
Click this check box if you want to display to remote users a RADIUS message about their authentication failure. |
|
|
Alias |
The alternate name by which the tunnel group is referred to. A group alias creates one or more alternate names by which a user can refer to a tunnel group. This feature is useful when the same group is known by several common names (such as "Devtest" and "QA"). If you want the actual name of the tunnel group to appear on this list, you must specify it as an alias. The group alias that you specify here appears on the login page. Each tunnel group can have multiple aliases or no alias. For more information, see Understanding Connection Profiles (ASA), page 10-16. |
Status |
Specifies whether a group alias is enabled or not. If enabled, the group alias appears in a list during login. |
Create button |
Opens the Add/Edit Connection Alias Dialog Box for creating a group alias. |
Edit button |
Opens the Add/Edit Connection Alias Dialog Box for editing the settings of a selected group alias in the table. |
Delete button |
Deleted one or more group aliases that are selected in the table. |
|
|
URL |
The URL associated with the tunnel group connection profile. You can configure multiple URLs (or no URLs) for a tunnel group. Each URL can be enabled or disabled individually. You must use a separate specification for each URL, specifying the entire URL using either the HTTP or HTTPS protocol. For more information, see Understanding Connection Profiles (ASA), page 10-16. |
Status |
Specifies whether a group URL is enabled or not. If enabled, it eliminates the need to select a group during login. |
Create button |
Click to open the Add Group URL dialog box for creating a group URL. See Add/Edit Connection URL Dialog Box. |
Edit button |
Select a group URL in the table, then click to open the Edit Group URL dialog box to edit its settings. See Add/Edit Connection URL Dialog Box. |
Delete button |
Select the rows of one or more group URLs, then click to remove from the list. |
Use the Add/Edit Connection Alias dialog box to create or edit a connection alias for an SSL VPN connection profile. Specifying the connection alias creates one or more alternate names by which the user can refer to a tunnel group.
Navigation Path
Open the SSL Tab (ASA), then click Create below the Connection Aliases table, or select a row in the table and click Edit.
Related Topics
•Connection Profiles Page (ASA)
•Configuring Connection Profiles (ASA), page 10-16
Field Reference
Use this dialog box to specify incoming URLs or IP addresses for the tunnel group. If a connection URL is enabled in a tunnel group, the security appliance selects the associated tunnel group and presents the user with only the username and password fields in the login window.
Note You can configure multiple URLs or addresses (or none) for a group. Each URL or address can be enabled or disabled individually.
You cannot associate the same URL or address with multiple groups. The security appliance verifies the uniqueness of the URL or address before accepting the URL or address for a tunnel group.
Navigation Path
Open the SSL Tab (ASA), then click Create below the Group URLs table, or select a row in the table and click Edit.
Related Topics
•Connection Profiles Page (ASA)
•Configuring Connection Profiles (ASA), page 10-16
Field Reference
Use the Dynamic Access page to view the dynamic access policies (DAP) defined on the security appliance. From this page, you can create, edit, or delete DAPs.
Use the Cisco Secure Desktop section to enable and download the Cisco Secure Desktop (CSD) software on the selected ASA device. Cisco Secure Desktop provides a single, secure location for session activity and removal on the client system, ensuring that sensitive data is shared only for the duration of an SSL VPN session.
Note The CSD client software must be installed and activated on a device in order for an SSL VPN policy to work properly.
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic Access policy, an ASA device checks for Group policies that specify the setting.
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > Dynamic Access from the Policy selector.
Related Topics
•Understanding Dynamic Access Policies, page 10-17
•Configuring Dynamic Access Policies, page 10-18
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Cisco Secure Desktop Policies on ASA Devices, page 10-26
Field Reference
|
|
---|---|
Priority |
Priority of the configured dynamic access policy record. |
Name |
Name of the configured dynamic access policy record. |
Network ACL |
Name of the firewall ACL that applies to the session. |
WebType ACL |
Name of the WebType VPN ACL that applies to the session. |
Port Forwarding |
Name of the port forwarding list that applies to the session. |
Bookmark |
Name of the SSL VPN Bookmark object that applies to the session. |
Terminate |
Indicates whether the session is terminated or not. |
Description |
Additional information about the configured dynamic access policy. |
Create button |
Click this button to create a dynamic access policy. See Add/Edit Dynamic Access Policy Dialog Box. |
Edit button |
Click this button to edit the selected dynamic access policy. See Add/Edit Dynamic Access Policy Dialog Box. |
Delete button |
Click this button to delete the selected dynamic access policies. |
Cisco Secure Desktop For the procedure to configure CSD on an ASA device, see Configuring Cisco Secure Desktop Policies on ASA Devices, page 10-26. |
|
Enable |
When selected, enables the CSD on the device. Enabling CSD loads the specified Cisco Secure Desktop package. If you transfer or replace the CSD package file, disable and then enable CSD to load the file. |
Package Version |
Specify the name of the File Object that identifies the Cisco Secure Desktop package you want to upload to the device. Click Select to select an existing File Object or to create a new one. For more information, see Creating File Objects, page 8-31. Note The package version must be compatible with the ASA operating system version. When you create a local policy in Device view, the Version field indicates the CSD package version you should select. (The version is included in the package file name. For example, securedesktop-asa_k9-3.3.0.118.pkg is CSD version 3.3.0.118.) When you create a shared policy in Policy view, the Version field indicates the version of the CSD file you selected. |
Configure |
Click Configure to open the Cisco Secure Desktop Manager (CSDM) Policy Editor that lets you configure CSD on the security appliance. For a description of the elements in this dialog box, see Cisco Secure Desktop Manager Policy Editor Dialog Box. |
Use the Add/Edit Dynamic Access Policy dialog box to configure the dynamic access policies (DAP) on your security appliance. You can specify a name for the dynamic access policy that you are adding, select the priority, specify attributes in a LUA expression, and set attributes for network and webtype ACL filters, file access, HTTP proxy, URL entry and lists, port forwarding, and clientless SSL VPN access methods.
Note For detailed information about dynamic access policy attributes, see Understanding DAP Attributes, page 10-19
These tabs are available in the Add/Edit Dynamic Access Policy dialog box:
Navigation Path
Open the Dynamic Access Page (ASA), then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit Dynamic Access Policy dialog box is displayed.
Related Topics
•Understanding Dynamic Access Policies, page 10-17
•Configuring Dynamic Access Policies, page 10-18
Field Reference
|
|
---|---|
Name |
The name of the dynamic access policy record (up to 128 characters). |
Priority |
A priority for the dynamic access policy record. The security appliance applies access policies in the order you set here, highest number having the highest priority. In the case of dynamic access policy records with the same priority setting and conflicting ACL rules, the most restrictive rule applies. |
Description |
Additional information about the dynamic access policy record (up to 1024 characters). |
Main tab |
Enables you to add a dynamic access policy entry and set attributes for the access policy depending on the type of remote access that you configure. For a description of the elements on this tab, see Main Tab. |
Logical Operators tab |
Enables you to create multiple instances of each type of endpoint attribute. For a description of the elements on this tab, see Logical Operators Tab. |
Advanced Expressions tab |
Enables you to configure one or more logical expressions to set AAA or endpoint attributes other than what is possible in the AAA and Endpoint areas. For a description of the elements on this tab, see Advanced Expressions Tab. |
Use the Main tab of the Add/Edit Dynamic Access Policy dialog box to configure the dynamic access policy attributes and the type of remote access method supported your security appliance. You can set attributes for network and webtype ACL filters, file access, HTTP proxy, URL entry and lists, port forwarding, and clientless SSL VPN access methods.
Navigation Path
The Main tab appears when you open the Add/Edit Dynamic Access Policy Dialog Box.
Related Topics
•Configuring Dynamic Access Policies, page 10-18
•Configuring DAP Attributes, page 10-23
Field Reference
|
|
---|---|
Criteria ID |
The AAA and endpoint selection attribute names that are available for dynamic access policy use. |
Content |
Values of the AAA and endpoint attributes criteria that the security appliance uses for selecting and applying a dynamic access policy record during session establishment. Attribute values that you configure here override authorization values in the AAA system, including those in existing group policy, tunnel group, and default group records. |
Create button |
Click this button to configure AAA and endpoint attributes as selection criteria for the DAP record. See Add/Edit DAP Entry Dialog Box. |
Edit button |
Click this button to edit the selected dynamic access policy. See Add/Edit DAP Entry Dialog Box. |
Delete button |
Click this button to delete the selected dynamic access policies. |
Access Method |
Specify the type of remote access permitted: •Unchanged—Continue with the current remote access method. •AnyConnect Client—Connect using the Cisco AnyConnect VPN Client. •Web Portal—Connect with clientless VPN. •Both default Web Portal—Connect via either clientless or the AnyConnect client, with a default of clientless. •Both default AnyConnect Client—Connect via either clientless or the AnyConnect client, with a default of AnyConnect. |
Network ACL tab—Lets you select and configure network ACLs to apply to this dynamic access policy. An ACL for a dynamic access policy can contain permit or deny rules, but not both. If an ACL contains both permit and deny rules, the security appliance rejects it. |
|
Network ACL |
Lists the Access Control Lists (ACLs) that will be used to restrict user access to the SSL†VPN. Click the Select button to open the Access Control Lists Selector from which you can make your selection. The ACL contains conditions that describe a traffic stream of packets, and actions that describe what should occur based on those conditions. Only ACLs having all permit or all deny rules are eligible. |
WebType ACL Tab—Lets you select and configure web-type ACLs to apply to this dynamic access policy. An ACL for a dynamic access policy can contain only permit or deny rules. If an ACL contains both permit and deny rules, the security appliance rejects it. |
|
Web Type ACL |
Specifies the WebType access control list that will be used to restrict user access to the SSL†VPN. Click the Select button to open the Access Control Lists Selector from which you can make your selection. Only ACLs having all permit or all deny rules are eligible. |
Functions Tab—Lets you configure file server entry and browsing, HTTP proxy, and URL entry for the dynamic access policy. |
|
File Server Browser |
Specify the file server browsing setting to be configured on the portal page: •Unchanged—Uses values from the group policy that applies to this session. •Enable—Enables CIFS browsing for file servers or shared features. •Disable—Disables CIFS browsing for file servers or shared features. Note Browsing requires NBNS (Master Browser or WINS). If that fails or is not configured, we use DNS. |
File Server Entry |
Specify the file server entry setting to be configured on the portal page: •Unchanged—Uses values from the group policy that applies to this session. •Enable—Enables a user from entering file server paths and names on the portal page. When enabled, places the file server entry drawer on the portal page. Users can enter pathnames to Windows files directly. They can download, edit, delete, rename, and move files. They can also add files and folders. Shares must also be configured for user access on the applicable Windows servers. Users might have to be authenticated before accessing files, depending on network requirements. •Disable—Disables a user from entering file server paths and names on the portal page. |
HTTP Proxy |
Specify how you want to configure the security appliance to terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers: •Unchanged—Uses values from the group policy that applies to this session. •Enable—Allows the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser's old proxy configuration and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft Internet Explorer. •Disable—Disables the forwarding of an HTTP applet proxy to the client. •Auto-start—Enables HTTP proxy and to have the DAP record automatically start the applets associated with these features. |
URL Entry |
Using SSL VPN does not ensure that communication with every site is secure. SSL VPN ensures the security of data transmission between the remote user's PC or workstation and the security appliance on the corporate network. If a user then accesses a non-HTTPS web resource (located on the Internet or on the internal network), the communication from the corporate security appliance to the destination web server is not secured. In a clientless VPN connection, the security appliance acts as a proxy between the end user web browser and target web servers. When a user connects to an SSL-enabled web server, the security appliance establishes a secure connection and validates the server SSL certificate. The end user browser never receives the presented certificate, so therefore cannot examine and validate the certificate. The current implementation of SSL VPN does not permit communication with sites that present expired certificates. Neither does the security appliance perform trusted CA certificate validation. Therefore, users cannot analyze the certificate an SSL-enabled web-server presents before communicating with it. Specify how the URL entry setting must be configured on the portal page: •Unchanged—Uses values from the group policy that applies to this session. •Enable—Allows a user from entering HTTP/HTTPS URLs on the portal page. If this feature is enabled, users can enter web addresses in the URL entry box, and use clientless SSL VPN to access those websites. •Disable—Disables a user from entering HTTP/HTTPS URLs on the portal page. Note To limit Internet access for users, select Disable for the URL Entry field. This prevents SSL VPN users from surfing the Web during a clientless VPN connection. |
Port Forwarding Tab—Lets you select and configure port forwarding lists for user sessions. Note Port Forwarding does not work with some SSL/TLS versions. Caution Make sure Sun Microsystems Java Runtime Environment (JRE) 1.4+ is installed on the remote computers to support port forwarding (application access) and digital certificates. |
|
Port Forwarding |
Select an option for the port forwarding lists that apply to this DAP record: •Unchanged—Removes the attributes from the running configuration. •Enable—Enables port forwarding on the device. •Disable—Disables port forwarding on the device. •Auto-start—Enables port forwarding, and to have the DAP record automatically start the port forwarding applets associated with its port forwarding lists. |
Port Forwarding List |
The Port Forwarding List, that defines the mapping of the port number on the client machine to the application's IP address and port behind the SSL VPN gateway. You can click Select to open the Port Forwarding List Selector from which you can select the required Port Forwarding List from a list of Port Forwarding List objects. A Port Forwarding List object defines the mappings of port numbers on the remote client to the application's IP address and port behind the SSL VPN gateway. |
URL List Tab—Lets you select and configure URL lists for user sessions. A URL List object defines the URLs that are displayed on the portal page after a successful login, to enable users to access the resources available on SSL VPN websites, in Clientless access mode. |
|
Enable URL Lists |
When selected, enables URL lists on the SSL VPN portal page. URL List objects are used in SSL VPNs. They define the URLs that are displayed on the portal page after a successful login, to enable users to access the resources available on SSL VPN websites, in Clientless access mode. |
URL List |
A list of websites that will be displayed on the portal page as a bookmark to enable users to access the resources available on the SSL VPN websites. You can click Select to open the URL List Selector from which you can select the required URL List from a list of URL List objects. |
Action Tab—Specifies special processing to apply to a specific connection or session. |
|
Terminate |
When selected, terminates the session. By default, the access policy attributes are applied to the session and it is running. |
User Message |
Enter a text message to display on the portal page when this DAP record is selected. Maximum 128 characters. A user message displays as a yellow orb. When a user logs on it blinks three times to attract attention, and then it is still. If several DAP records are selected, and each of them has a user message, all user messages display. Note You can include in such messages URLs or other embedded text, which require that you use the correct HTML tags. |
Use the Add/Edit DAP Entry dialog box to specify the authorization attributes and endpoint attributes for a dynamic access policy. The security appliance selects the dynamic access policy based on the endpoint security information of the remote device and the AAA authorization information for the authenticated user. It then applies the dynamic access policy to the user tunnel or session.
Note For detailed information about dynamic access policy attributes, see Understanding DAP Attributes, page 10-19
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
|
|
---|---|
Criterion |
Select the authorization or endpoint attribute from the list. It serves as the criterion that the security appliance uses for selecting and applying dynamic access policies during session establishment. •AAA Attributes Cisco—Refers to user authorization attributes that are stored in the AAA hierarchical model. See Add/Edit DAP Entry Dialog Box > AAA Attributes Cisco •AAA Attributes LDAP—Sets the LDAP client stores all native LDAP response attribute value pairs in a database associated with the AAA session for the user. See Add/Edit DAP Entry Dialog Box > AAA Attributes LDAP. •AAA Attributes RADIUS—Sets the RADIUS client stores all native RADIUS response attribute value pairs in a database associated with the AAA session for the user. See Add/Edit DAP Entry Dialog Box > AAA Attributes RADIUS. •Anti-Spyware—Creates an endpoint attribute of type Anti-Spyware. You can use the Host Scan modules of Cisco Secure Desktop to scan for antispyware applications and updates that are running on the remote computer. See Add/Edit DAP Entry Dialog Box > Anti-Spyware. •Anti-Virus—Creates an endpoint attribute of type Anti-Virus. You can use the Host Scan modules of Cisco Secure Desktop to scan for antivirus applications and updates that are running on the remote computer. See Add/Edit DAP Entry Dialog Box > Anti-Virus. •Application—Indicates the type of remote access connection. See Add/Edit DAP Entry Dialog Box > Application. •File—Creates an endpoint attribute of type File. Filename checking to be performed by Basic Host Scan must be explicitly configured using Cisco Secure Desktop Manager. See Add/Edit DAP Entry Dialog Box > File. •NAC—Creates an endpoint attribute of type NAC. NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue applications by performing endpoint compliancy. We refer to these checks as posture†validation. See Add/Edit DAP Entry Dialog Box > NAC. •Operating System—Creates an endpoint attribute of type Operating System. The prelogin assessment module of the CSD can check the remote device for the OS version, IP address, and Microsoft Windows registry keys. See Add/Edit DAP Entry Dialog Box > Operating System. •Personal Firewall—Creates an endpoint attribute of type Personal Firewall. You can use the Host Scan modules of Cisco Secure Desktop to scan for personal firewall applications and updates that are running on the remote computer. See Add/Edit DAP Entry Dialog Box > Personal Firewall. •Policy—Creates an endpoint attribute of type Policy. See Add/Edit DAP Entry Dialog Box > Policy. •Process—Process name checking to be performed by Basic Host Scan must be explicitly configured using Cisco Secure Desktop Manager. See Add/Edit DAP Entry Dialog Box > Process. •Registry—Creates an endpoint attribute of type Registry. Registry key scans apply only to computers running Windows Microsoft Windows operating systems. See Add/Edit DAP Entry Dialog Box > Registry. |
Description |
Additional information about the dynamic access policy (up to 1024 characters). |
Main tab |
Enables you to add a dynamic access policy entry and set attributes for the access policy depending on the type of remote access that you configure. For a description of the elements on this tab, see Main Tab. |
Logical Operators tab |
Enables you to create multiple instances of each type of endpoint attribute. For a description of the elements on this tab, see Logical Operators Tab. |
Advanced Expressions tab |
Enables you to configure multiple instances of each type of endpoint attribute. For a description of the elements on this tab, see Advanced Expressions Tab. |
To configure AAA attributes as selection criteria for dynamic access policies, in the Add/Edit DAP Entry dialog box, set AAA Attributes Cisco as the selection criterion to be used to select and apply the dynamic access policies during session establishment. You can set these attributes either to match or not match the value you enter. There is no limit for the number of AAA attributes for each dynamic access policy.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select AAA Attributes Cisco as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
|
|
---|---|
Criterion |
Shows AAA Attributes Cisco as the selection criterion. |
Class |
Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the name of the AAA server group associated with the user. The maximum length is 64 characters. AAA server groups represent collections of authentication servers focused on enforcing specific aspects of your overall network security policy. |
IP Address |
Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the assigned IP address. Addresses are predefined network objects. You can also click Select to open a dialog box that lists all available network hosts, and in which you can create or edit network host objects. |
Member-of |
Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter a comma-separated string of group policy names that apply to the user. This attribute lets you indicate multiple group membership. The maximum length is 128 characters. |
Username |
Select the check box, then select the matching criteria (for example, is) from the drop-down list, and enter the username of the authenticated user. A maximum of 64 characters is allowed. |
Connection Profiles |
Select the check box, then select the matching criteria (for example, is) from the drop-down list, and select the connection profile from a list of all the SSL VPN Connection Profile policies defined on the security appliance. An SSL VPN connection profile comprises a set of records that contain VPN tunnel connection profile policies, including the attributes that pertain to creating the tunnel itself. Note For a description of the procedure to configure an SSL VPN Connection Profiles policy, see Configuring Connection Profiles (ASA), page 10-16. |
The LDAP client stores all native LDAP response attribute value pairs in a database associated with the AAA session for the user. The LDAP client writes the response attributes to the database in the order in which it receives them. It discards all subsequent attributes with that name. This scenario might occur when a user record and a group record are both read from the LDAP server. The user record attributes are read first, and always have priority over group record attributes.
To support Active Directory group membership, the AAA LDAP client provides special handling of the LDAP memberOf response attribute. The AD memberOf attribute specifies the DN string of a group record in AD. The name of the group is the first CN value in the DN string. The LDAP client extracts the group name from the DN string and stores it as the AAA memberOf attribute, and in the response attribute database as the LDAP memberOf attribute. If there are additional memberOf attributes in the LDAP response message, then the group name is extracted from those attributes and is combined with the earlier AAA memberOf attribute to form a comma separated string of group names, also updated in the response attribute database.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select AAA Attributes LDAP as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
The RADIUS client stores all native RADIUS response attribute value pairs in a database associated with the AAA session for the user. The RADIUS client writes the response attributes to the database in the order in which it receives them. It discards all subsequent attributes with that name. This scenario might occur when a user record and a group record are both read from the RADIUS server. The user record attributes are read first, and always have priority over group record attributes.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select AAA Attributes RADIUS as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
You can use the Host Scan feature of the Cisco Secure Desktop feature to enable Endpoint Assessment, a scan for antivirus, personal firewall, and antispyware applications and updates that are running on the remote computer. Following the configuration of the prelogin policies and host scan options, you can configure a match of any one or any combination of the Host Scan results to assign a dynamic access policy following the user login.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Anti-Spyware as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
You can configure a scan for antivirus applications and updates as a condition for the completion of a Cisco AnyConnect or clientless SSL VPN connection. Following the prelogin assessment, Cisco Secure Desktop loads Endpoint Assessment checks and reports the results back to the security appliance for use in assigning a dynamic access policy.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Anti-Virus as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
Use this dialog box to indicate the type of remote access connection as the endpoint attribute for the dynamic access policy.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Application as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
The DAP Device Criterion lets you provide specific device information for use during the associated prelogin policy checking. You can provide one or more of the following attributes for a device—host name, MAC address, port number, Privacy Protection selection—and indicate whether each is or isn't to be matched.
Note that isn't is exclusionary. For example, if you specify the criterion Host Name isn't zulu_2
, all devices not named zulu_2
will match.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Choose Device as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
The file criterion prelogin check lets you specify that a certain file must or must not exist to be eligible for the associated prelogin policy. For example, you might want to use a file prelogin check to ensure a corporate file is present or one or more peer-to-peer file-sharing programs containing malware are not present before assigning a prelogin policy.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select File as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue applications by performing endpoint compliancy and vulnerability checks as a condition for production access to the network. We refer to these checks as posture†validation. You can configure posture validation to ensure that the anti-virus files, personal firewall rules, or intrusion protection software on a host with an AnyConnect or Clientless SSL VPN session are up-to-date before providing access to vulnerable hosts on the intranet. Posture validation can include the verification that the applications running on the remote hosts are updated with the latest patches. NAC occurs only after user authentication and the setup of the tunnel. NAC is especially useful for protecting the enterprise network from hosts that are not subject to automatic network policy enforcement, such as home PCs. The security appliance uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate the posture of remote hosts.
The establishment of a tunnel between the endpoint and the security appliance triggers posture validation. You can configure the security appliance to pass the IP address of the client to an optional audit server if the client does not respond to a posture validation request. The audit server, such as a Trend server, uses the host IP address to challenge the host directly to assess its health. For example, it may challenge the host to determine whether its virus checking software is active and up-to-date. After the audit server completes its interaction with the remote host, it passes a token to the posture validation server, indicating the health of the remote host.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select NAC as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
The prelogin assessment includes a check for the OS attempting to establish a VPN connection. When the user attempts to connect, however, Cisco Secure Desktop checks for the OS, regardless of whether you insert an OS prelogin check.
If the prelogin policy assigned to the connection has Secure Desktop (Secure Session) enabled and if the remote PC is running Microsoft Windows XP or Windows 2000, it installs Secure Session, regardless of whether you insert an OS prelogin check. If the prelogin policy has Secure Desktop enabled and the operating system is Microsoft Windows Vista, Mac OS X 10.4, or Linux, Cache Cleaner runs instead. Therefore, you should make sure the Cache Cleaner settings are appropriate for a prelogin policy on which you have configured Secure Desktop or Cache Cleaner to install. Although Cisco Secure Desktop checks for the OS, you may want to insert an OS prelogin check as a condition for applying a prelogin policy to isolate subsequent checks for each OS.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Operating System as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
You can click Host Scan in the Cisco Secure Desktop interface to enable Endpoint Assessment, a scan for personal firewalls that are running on the remote computer. Most, but not all, personal firewall programs support active scan, which means that the programs are memory-resident, and therefore always running.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select AAA Attributes Cisco as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
Windows locations let you determine how clients connect to your virtual private network, and protect it accordingly. For example, clients connecting from within a workplace LAN on a 10.x.x.x network behind a NAT device are an unlikely risk for exposing confidential information. For these clients, you might set up a Cisco Secure Desktop Windows Location named Work that is specified by IP addresses on the 10.x.x.x network, and disable both the Cache Cleaner and the Secure Desktop function for this location. Cisco Secure Desktop checks locations in the order listed on the Windows Location Settings window, and grants privileges to client PCs based on the first location definition they match.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Policy as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
You can specify a set of process names, which form a part of Basic Host Scan. The host scan, which includes Basic Host Scan and Endpoint Assessment, or Advanced Endpoint Assessment; occurs after the prelogin assessment but before the assignment of a dynamic access policy. Following the Basic Host Scan, the security appliance uses the login credentials, the host scan results, prelogin policy, and other criteria you configure to assign a DAP.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Process as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
Registry key scans apply only to computers running Windows Microsoft Windows operating systems. Basic Host Scan ignores registry key scans if the computer is running Mac OS or Linux.
Note Duplicate entries are not allowed. If you configure a dynamic access policy with no AAA or endpoint attributes, the security appliance always selects it since all selection criteria are satisfied.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box with the Main tab selected, then click Create, or select a dynamic access policy in the table and click Edit. The Add/Edit DAP Entry dialog box is displayed. Select Registry as the Criterion.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
Use the Logical Operators tab of the Add/Edit Dynamic Access Policy dialog box to configure multiple instances of the AAA and each type of endpoint attribute that you defined in the DAP Entry dialog box. On this tab, set each type of endpoint or AAA attribute to require only one instance of a type (Match Any = OR) or to have all instances of a type (Match All = AND).
•If you configure only one instance of an endpoint category, you do not need to set a value.
•For some endpoint attributes, it is not useful to configure multiple instances. For example, no users have more than one running OS.
•You are configuring the Match Any/Match All operation within each endpoint type. The security appliance evaluates each type of endpoint attribute, and then performs a logical AND operation on all of the configured endpoints. That is, each user must satisfy the conditions of ALL of the endpoints you configure, as well as the AAA attributes.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, then click the Logical Operators tab.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
Use the Advanced Expressions tab of the Add/Edit Dynamic Access Policy dialog box to set additional attributes for the dynamic access policy. You can configure multiple instances of each type of endpoint attribute. Be aware that this is an advanced feature that requires knowledge of LUA (www.lua.org).
Note For detailed information about advanced expressions, see "About Advanced Expressions for AAA or Endpoint attributes" in Understanding DAP Attributes, page 10-19 and "Examples of DAP Logical Expressions" in Understanding DAP Attributes, page 10-19.
Navigation Path
Open the Add/Edit Dynamic Access Policy Dialog Box, then click the Advanced Expressions tab.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
Using the Cisco Secure Desktop Manager (CSDM) Policy Editor dialog box, you can configure prelogin policies, specify the checks to be performed between the time the user establishes a connection with the security appliance and the time the user enters the login credentials, and configure host scans.
Note For more information about configuring CSD, see the materials available online at http://www.cisco.com/en/US/products/ps6742/tsd_products_support_configure.html.
Navigation Path
Open the Dynamic Access Page (ASA), then click Configure from the Cisco Secure Desktop section. The CSDM Policy Editor dialog box is displayed.
Related Topics
•Understanding DAP Attributes, page 10-19
•Configuring DAP Attributes, page 10-23
•Configuring Dynamic Access Policies, page 10-18
Field Reference
Use the Global Settings page to define global settings for IKE, IPsec, NAT, and fragmentation that apply to devices in your remote access VPN.
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > Global Settings from the Policy selector.
Note You can also open the VPN Global Settings page from Policy view. For more information, see Managing Shared Remote Access VPN Policies in Policy View, page 10-62.
|
|
---|---|
ISAKMP/IPsec Settings tab |
Enables you to specify global settings for IKE and IPsec. For a description of the elements on this tab, see ISAKMP/IPsec Settings Tab. |
NAT Settings tab |
Enables you to specify global Network Address Translation (NAT) settings to enable devices that use internal IP addresses to send and receive data through the Internet. For a description of the elements on this tab, see NAT Settings Tab. |
General Settings tab |
Enables you to define fragmentation settings and other global settings on devices in your remote access VPN. For a description of the elements on this tab, see General Settings Tab. |
Use the ISAKMP/IPsec Settings tab of the VPN Global Settings page to specify global settings for IKE and IPsec.
Navigation Path
Open the Global Settings Page, or click the ISAKMP/IPsec Settings tab from any other tab in the VPN Global Settings page.
Related Topics
•Understanding Remote Access VPN Global Settings, page 10-27
•Configuring Remote Access VPN Global Settings, page 10-27
•Understanding IPsec Tunnel Policies, page 9-48
•Understanding ISAKMP/IPsec Settings, page 9-52
Field Reference
|
|
---|---|
ISAKMP Settings |
|
Enable Keepalive |
When selected, enables you to configure IKE keepalive as the default failover and routing mechanism for your devices. |
Interval (seconds) |
The number of seconds that a device waits between sending IKE keepalive packets. The default is 10 seconds. |
Retry (seconds) |
The number of seconds a device waits between attempts to establish an IKE connection with the remote peer. The default is 2 seconds. |
Periodic |
Available only if Enable Keepalive is selected and supported on routers running IOS version 12.3(7)T and later, except 7600 devices. When selected, enables you to send dead-peer detection (DPD) keepalive messages even if there is no outbound traffic to be sent. Usually, DPD keepalive messages are sent between peer devices only when no incoming traffic is received but outbound traffic needs to be sent. For more information, see Understanding ISAKMP/IPsec Settings, page 9-52. |
Identity |
During Phase I IKE negotiations, peers must identify themselves to each other. Select to use the IP address or the host name that the device will use to identify itself in IKE negotiations. You can also select a distinguished name (DN) to identify a user group name. |
SA Requests System Limit |
Supported on routers running Cisco IOS Release 12.3(8)T and later, except 7600 routers. The maximum number of SA requests allowed before IKE starts rejecting them. You can enter a value in the range of 0-99999. Note Make sure the value you enter equals or exceeds the number of peers connected to the device. |
SA Requests System Threshold |
Supported on Cisco IOS routers and Catalyst 6500 /7600 devices. The percentage of system resources that can be used before IKE starts rejecting new SA requests. |
IPsec Settings |
|
Enable Lifetime |
Select to enable you to configure the global lifetime settings for the crypto IPsec SAs on the devices in your remote access VPN. |
Lifetime (secs) |
The number of seconds a security association will exist before expiring. The default is 3,600 seconds (1 hour). |
Lifetime (kbytes) |
The volume of traffic (in kilobytes) that can pass between IPsec peers using a given security association before it expires. The default is 4,608,000 kilobytes. |
Xauth Timeout (seconds) |
Supported on Cisco IOS routers and Catalyst 6500 /7600 devices. The number of seconds the device will wait for a system response to the Xauth challenge. When negotiating tunnel parameters for establishing IPsec tunnels in a remote access configuration, Xauth adds another level of authentication that identifies the user who requests the IPsec connection. Using the Xauth feature, the client waits for a "username/password" challenge after the IKE SA was established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication. |
Max Sessions |
Supported on PIX 7.0 and ASA devices. The maximum number of SAs that can be enabled simultaneously on the device. |
Enable IPsec via Sysopt (PIX and ASA only) |
Supported on ASA devices, and PIX Firewalls versions 6.3 or 7.0. When selected (the default), specifies that any packet that comes from an IPsec tunnel is implicitly trusted (permitted). |
Save button |
Available only if you are authorized to modify this policy. Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. |
Use the NAT Settings tab of the Global Settings page to define global Network Address Translation (NAT) settings that enable devices that use internal IP addresses to send and receive data through the Internet.
Navigation Path
Open the Global Settings Page, then click the NAT Settings tab.
Related Topics
•Understanding Remote Access VPN Global Settings, page 10-27
•Configuring Remote Access VPN Global Settings, page 10-27
Field Reference
|
|
---|---|
Enable Traversal Keepalive |
When selected, enables you to configure NAT traversal keepalive on a device. NAT traversal keepalive is used for the transmission of keepalive messages when there is a device (middle device) located between a VPN-connected hub and spoke, and that device performs NAT on the IPsec flow. Note On Cisco IOS routers, NAT traversal is enabled by default. If you want to disable the NAT traversal feature, you must do this manually on the device or using a FlexConfig (see Chapter 18, "Managing FlexConfigs"). For more information, see Understanding NAT, page 9-53. |
Interval |
Available when NAT Traversal Keepalive is enabled. The interval, in seconds, between the keepalive signals sent between the spoke and the middle device to indicate that the session is active. The NAT keepalive value can be from 5 to 3600 seconds. The default is 10 seconds. |
Enable Traversal over TCP |
Supported on PIX 7.0 and ASA devices. When selected, encapsulates both the IKE and IPsec protocols within a TCP packet and enables secure tunneling through both NAT and PAT devices and firewalls. |
TCP Ports |
Available only when Enable Traversal over TCP is selected. The TCP ports for which you want to enable NAT traversal. You must configure TCP ports on the remote clients and on the VPN device. The client configuration must include at least one of the ports you set for the security appliance. You can enter up to 10 ports. |
Save button |
Available only if you are authorized to modify this policy. Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. |
Use the General Settings tab of the Global Settings page to define fragmentation settings and other global settings on devices in your remote access VPN.
Navigation Path
Open the Global Settings Page, then click the General Settings tab.
Related Topics
•Understanding Fragmentation, page 9-54
•Understanding Remote Access VPN Global Settings, page 10-27
•Configuring Remote Access VPN Global Settings, page 10-27
Field Reference
In the Group Policies page, you can view the user group policies defined for your ASA SSL VPN connection profile. From this page, you can specify new ASA user groups and edit existing ones.
Tip Dynamic Access policies take precedence over Group policies. If a setting is not specified in a Dynamic Access policy, an ASA device checks for Group policies that specify the setting.
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > Group Policies from the Policy selector.
Related Topics
•Creating ASA User Group Objects, page 8-28
Field Reference
|
|
---|---|
Group Policy |
The name of the ASA user group assigned to the SSL VPN connection profile. |
Type |
Indicates whether the user groups are assigned to your remote access VPN server, SSL VPN connection profile, or both. |
Protocol |
Indicates the protocol type for the group: IPsec, SSL, or both. |
Create button |
ASA user groups are predefined objects. Click to open a dialog box from which you can select a user group from a list of predefined ASA user group objects, or create new ones. See Create/Edit Group Policies Dialog Box. |
Edit button |
Select the row of an ASA user group policy in the table, then click to edit its properties. See Create/Edit Group Policies Dialog Box. |
Delete button |
Select the rows of one or more ASA user groups, then click to remove from the list. |
Use the Create/Edit Group Policies dialog box to specify the user groups you want to use for your remote access IPSec VPN server.
Navigation Path
Open the Group Policies Page, then click Create, or select a group policy in the table and click Edit. The Create/Edit Group Policies dialog box is displayed.
Related Topics
•Understanding Group Policies (ASA), page 10-29
•Creating Group Policies (ASA), page 10-30
•Creating User Group Objects, page 8-94
Field Reference
|
|
---|---|
Available ASA User Groups |
Lists the predefined ASA user groups available for selection. Select the required ASA user group in the list. The selected user group is displayed in the Selected field. ASA user groups are predefined objects. If the required user group is not included in the list, click Create to open the Add ASA User Group dialog box that enables you to create or edit an ASA user group object. |
Filter |
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 2-16. |
Selected |
The selected ASA user group. |
Create button |
Opens the Add ASA User Group dialog box for creating an ASA user group object. See ASA Group Policies Dialog Box, page F-25. |
Edit button |
Opens the Edit ASA User Group dialog box for modifying an ASA user group object. See ASA Group Policies Dialog Box, page F-25. |
Use the Public Key Infrastructure page to select the CA servers to use for creating a Public Key Infrastructure (PKI) policy for generating enrollment requests for CA certificates.
Note To save the RSA key pairs and the CA certificates permanently to flash memory on a PIX Firewall version 6.3 between reloads, you must configure the ca save all command. You can do this manually on the device or using a FlexConfig (see Chapter 18, "Managing FlexConfigs").
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > Public Key Infrastructure from the Policy selector.
Note You can also open the Public Key Infrastructure page from Policy view. For more information, see Managing Shared Remote Access VPN Policies in Policy View, page 10-62.
Related Topics
•Understanding Public Key Infrastructure Policies, page 9-57
•Configuring Public Key Infrastructure Policies, page 10-32
•Configuring Public Key Infrastructure Policies, page 9-61
•Creating PKI Enrollment Objects, page 8-69
Field Reference
|
|
---|---|
Available CA Servers |
Lists the CA servers available for selection. Select the required CA servers and click >>. CA servers are defined as PKI enrollments objects that contain server information and enrollment parameters required for creating enrollment requests for CA certificates. If the required CA server is not included in the list, click Create to open the PKI Enrollment Dialog Box, page F-142 that enables you to create a PKI enrollment object. You can also edit the properties of a CA server by selecting it and clicking Edit. Note When creating or editing a PKI enrollment object, you must configure each remote component (spoke) with the name of the user group to which it connects. You specify this information in the Organization Unit (OU) field in the Certificate Subject Name tab of the PKI Enrollment Editor dialog box. In addition, the certificate issued to the client should have OU as the name of the user group. For more information, see PKI Enrollment Dialog Box—Certificate Subject Name Tab, page F-150. |
Selected CA Servers |
The selected CA servers. To remove a CA server from this list, select it and click <<. You can select more than one CA server at a time. |
>> button |
Click to move one or more selected CA servers from the Available CA Servers list to the Selected CA Servers list. |
<< button |
Click to move one or more selected CA server from the Selected CA Servers list to the Available CA Servers list. |
Use the Policies page to configure the matching policies for any remote client connecting to the device.
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps > Policies from the Policy selector.
Note You can also open the Certificate to Connection Profile Maps > Policies page from Policy view. For more information, see Managing Shared Remote Access VPN Policies in Policy View, page 10-62.
Related Topics
•Understanding Certificate to Connection Profile Map Policies (ASA), page 10-33
•Configuring Certificate to Connection Profile Map Policies (ASA), page 10-34
Field Reference
Use the Rules page to configure the matching rules and parameters for any remote client connecting to the device.
Note A connection profile must exist in the configuration before you can create and map a matching rule to it. If you unassign a connection profile after creating a matching rule, the rules that are mapped to the connection profile are unassigned. See Configuring Connection Profiles (ASA), page 10-16.
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > IPSec VPN > Certificate to Connection Profile Maps > Rules from the Policy selector.
Note You can also open the Rules page from Policy view. For more information, see Managing Shared Remote Access VPN Policies in Policy View, page 10-62.
Related Topics
•Understanding Certificate to Connection Profile Map Rules (ASA), page 10-35
•Configuring Certificate to Connection Profile Map Rules (ASA), page 10-35
Field Reference
|
|
---|---|
|
|
Mapped to Connection Profile |
The connection profile to which the matching rule is mapped. |
Priority |
The priority number of the matching rule. A lower number has higher priority. |
Create button |
Click to open the dialog box for creating a matching rule. The Map Rule dialog box appears. See Map Rule Dialog Box (Upper Pane). |
Edit button |
Select the row of a DN matching rule from the upper pane, then click to open the dialog box for editing the selected DN matching rule. See Map Rule Dialog Box (Upper Pane). |
Delete button |
Select the rows of one or more rules, then click to delete. |
|
|
Field |
The specified field of the matching rule. The certificate field can be either Subject or Issuer. |
Component |
The matching component of the certificate for the matching rule. |
Operator |
The operator of the matching rule. |
Value |
The value of the matching rule. The displayed value must match the value in the client certificate. |
Create button |
Click to open the Map Rule dialog box for creating a matching rule. See Map Rule Dialog Box (Lower Pane). |
Edit button |
Select the row of a DN matching rule from the lower pane, then click to open the dialog box for editing the selected DN matching rule. See Map Rule Dialog Box (Lower Pane). |
Delete button |
Select the rows or one or more rules, then click to delete. |
Default Connection Profile |
Select the default connection profile to be used if no matching rules are found. |
Save button |
Available only if you are authorized to modify this policy. Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. |
You can create a map rule or edit an existing one in the Map Rule dialog box.
Navigation Path
On the Certificate to Connection Profile Maps > Rules Page, click Create in the upper pane or select a row in the upper table and click Edit.
Related Topics
•Certificate to Connection Profile Maps > Rules Page
•Map Rule Dialog Box (Lower Pane)
Field Reference
You can create a map rule or edit an existing one in the Map Rule dialog box (lower pane).
Navigation Path
On the Certificate to Connection Profile Maps > Rules Page, click Create in the lower pane or select a row in the lower table and click Edit.
Related Topics
•Certificate to Connection Profile Maps > Rules Page
•Map Rule Dialog Box (Upper Pane)
Field Reference
Use the High Availability page to configure a High Availability (HA) policy on a Cisco IOS router or Cisco Catalyst switch in a remote access VPN.
Navigation Path
1. In Device View, select an IOS or Catalyst device.
2. Select Remote Access VPN > IPSec VPN > High Availability from the Policy selector.
Note You can also open the High Availability page from Policy view. For more information, see Managing Shared Remote Access VPN Policies in Policy View, page 10-62.
Related Topics
•Understanding High Availability in Remote Access VPNs (IOS), page 10-40
•Configuring a High Availability Policy, page 10-41
Field Reference
|
|
---|---|
Inside Virtual IP |
The IP address that will be shared by the hubs in the HA group and will represent the inside interface of the HA group. The virtual IP address must be on the same subnet as the inside interfaces of the hubs in the HA group. Note You must provide an inside virtual IP that matches the subnet of one of the interfaces on the device, in addition to a VPN virtual IP that matches the subnet of one of the device's interfaces and is configured with an IPsec proposal; otherwise an error is displayed. Note If there is an existing standby group on the device, make sure that the IP address you provide is different from the virtual IP address already configured on the device. You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address will be allocated. |
Inside Mask |
The subnet mask for the inside virtual IP address. |
VPN Virtual IP |
The IP address that will be shared by the hubs in the HA group and will represent the VPN interface of the HA group. This IP address will serve as the hub endpoint of the VPN tunnel. You can choose the required IP address by clicking Select. The Network/Hosts selector opens, in which you can select a network from which the IP address will be allocated. Note If there is an existing standby group on the device, make sure that the IP address you provide is different from the virtual IP address already configured on the device. |
VPN Mask |
The subnet mask for the VPN virtual IP address. |
Hello Interval |
The duration in seconds (within the range of 1-254) between each hello message sent by a hub to the other hubs in the group to indicate status and priority. The default is 5 seconds. |
Hold Time |
The duration in seconds (within the range of 2-255) that a standby hub will wait to receive a hello message from the active hub before concluding that the hub is down. The default is 15 seconds. |
Standby Group Number (Inside) |
The standby number of the inside hub interface that matches the internal virtual IP subnet for the hubs in the HA group. The number must be within the range of 0-255. The default is 1. |
Standby Group Number (Outside) |
The standby number of the outside hub interface that matches the external virtual IP subnet for the hubs in the HA group. The number must be within the range of 0-255. The default is 2. Note The outside standby group number must be different to the inside standby group number. |
Failover Server |
The IP address of the inside interface of the remote peer device. You can click Select to open the Network/Hosts Selector, from which you can select a host from which the IP address of the remote peer will be allocated. |
Enable Stateful Failover |
When selected, enables SSO for stateful failover. Note In an Easy VPN topology, this check box appears selected and disabled, as stateful failover must always be configured. You can only configure stateful failover on an HA group that contains two hubs that are Cisco IOS routers. This check box is disabled if the HA group contains more than two hubs. Note When deselected in a Regular IPsec topology, stateless failover is configured on the HA group. Stateless failover will also be configured if the HA group contains more than two hubs. Stateless failover can be configured on Cisco IOS routers or Catalyst 6500/7600 devices. For more information, see Understanding High Availability, page 9-39. |
Save button |
Available only if you are authorized to modify this policy. Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. |
Use the IKE Proposal page to select the IKE proposals to use for your remote access VPN server.
Navigation Path
1. In Device View, select a device.
2. Select Remote Access VPN > IKE Proposal from the Policy selector.
Note You can also open the IKE Proposal page from Policy view. For more information, see Managing Shared Remote Access VPN Policies in Policy View, page 10-62.
Related Topics
•Remote Access VPN Configuration Wizard
•Understanding IKE Proposals in Remote Access VPNs, page 10-36
•Configuring IKE Proposals on a Remote Access VPN Server, page 10-36
•Creating IKE Proposal Objects, page 8-32
Field Reference
|
|
---|---|
Available IKE Proposals |
Lists the predefined IKE proposals available for selection. Select the required IKE proposals and click >>. IKE proposals are predefined objects. If the required IKE proposal is not included in the list, click Create to open the Add or Edit IKE Proposal Dialog Box, page F-53 that enables you to create or edit an IKE proposal object. |
Selected IKE Proposals |
Lists the selected IKE proposals. To remove an IKE proposal from this list, select it and click <<. To modify the properties of an IKE proposal, select it and click Edit. |
>> button |
Click to move a selected IKE proposal from the Available IKE Proposals list to the Selected IKE Proposals list. |
<< button |
Click to remove a selected IKE proposal from the Selected IKE Proposals list to the Available IKE Proposals list. |
Save button |
Available only if you are authorized to modify this policy. Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. |
An IPsec proposal defines the external interface through which remote access clients connect to the server, and the encryption and authentication algorithms used to protect the data in the VPN tunnel.
Use the IPsec Proposal page to create or edit IPsec policy definitions for your remote access VPN. For more information on IPsec proposals, see Understanding IPsec Tunnel Policies, page 9-48 and About Crypto Maps, page 9-49.
Navigation Path
1. In Device View, select a device.
2. Select Remote Access VPN > IPsec Proposal from the Policy selector.
Note You can also open the IPsec Proposal page from Policy view. For more information, see Managing Shared Remote Access VPN Policies in Policy View, page 10-62.
Related Topics
•Understanding IPsec Proposals in Remote Access VPNs, page 10-37
•Configuring an IPsec Proposal on a Remote Access VPN Server, page 10-38
•Defining Accounts and Credential Policies, page 13-48
•Remote Access VPN Configuration Wizard
•IPsec Proposal Editor Dialog Box (for PIX and ASA Devices)
•IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices)
Field Reference
|
|
---|---|
Endpoint |
The external interface (or inside VLAN for a Catalyst 6500/7600 device) through which remote access clients will connect to the server. |
Transform Sets |
The transform set(s) selected for the policy (the default is tunnel_3des_sha). Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. |
RRI |
Shows whether Reverse Route Injection (RRI) is enabled or disabled on the crypto map for the support of VPN clients. For more information, see About Reverse Route Injection, page 9-50. |
AAA Authorization |
If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows the name of the server groups selected to perform AAA authorization. |
AAA Authentication |
If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows the name of the server groups selected to perform AAA authentication. |
VRF |
If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows whether VRF is enabled or disabled. |
DVTI |
If a Cisco IOS router or Catalyst 6500/7600 device is selected, shows whether DVTI is enabled or disabled. |
Create button |
Click to open the IPsec Proposal Editor dialog box to create an IPsec proposal. If the device is a PIX Firewall or ASA device, see IPsec Proposal Editor Dialog Box (for PIX and ASA Devices). If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices). |
Edit button |
Select the row of a proposal from the table, then click to open the IPsec Proposal Editor dialog box to edit the selected proposal. If the device is a PIX Firewall or ASA device, see IPsec Proposal Editor Dialog Box (for PIX and ASA Devices). If the device is a Cisco IOS router or Catalyst 6500/7600, see IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices). |
Delete button |
Select the rows of one or more proposals, then click to delete. |
Save button |
Available only if you are authorized to modify this policy. Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. |
Use the IPsec Proposal Editor to create or edit an IPsec proposal for a device in your remote access VPN.
The elements in this dialog box differ according to the selected device. Table H-62 describes the elements in the IPsec Proposal Editor dialog box when a PIX 7.0 or ASA device is selected.
Note For a description of the elements in the dialog box when a Cisco IOS router or Catalyst 6500/7600 is selected, see Table H-63.
Navigation Path
Open the IPsec Proposal Page, then click Create, or select a proposal from the list and click Edit.
Related Topics
•Configuring an IPsec Proposal on a Remote Access VPN Server, page 10-38
•Understanding IPsec Tunnel Policies, page 9-48
•Creating Interface Role Objects, page 8-34
•Creating AAA Server Group Objects, page 8-22
Field Reference
|
|
---|---|
External Interface |
The external interface (endpoint) through which remote access clients connect to the server. An endpoint can be an interface or a set of interfaces that are defined by a particular interface role. Click Select to open a dialog box that lists all available interfaces and sets of interfaces defined by interface roles, and enables you to create interface role objects. |
Transform Sets |
The transform set or sets to use for your tunnel policy (the default is tunnel_3des_sha). Transform sets specify which authentication and encryption algorithms will be used to secure the traffic in the tunnel. A default transform set is displayed. If you want to use a different transform set or select additional transform sets, click Select to open a dialog box that lists all available transform sets and enables you to create transform set objects. For more information, see Creating IPSec Transform Set Objects, page 8-36. If more than one of your selected transform sets is supported by both peers, the transform set that provides the highest security will be used. Note You can select up to six transform sets. For more information, see About Transform Sets, page 9-49. |
Reverse Route Injection |
Note Available only for ASA devices. Select the required option to configure Reverse Route Injection (RRI) on the crypto map in your tunnel policy: •None—To disable the RRI configuration on the crypto map. •Standard—This is the default. It creates routes based on the destination information defined in the crypto map access control list (ACL). For more information, see About Reverse Route Injection, page 9-50. |
Enable Network Address Translation Traversal |
Note Available only for ASA devices. When selected (the default), enables you to configure NAT traversal on the device. You use NAT traversal when a device (referred to as the middle device) is located between a VPN-connected hub and spoke, that performs NAT on the IPsec flow. For more information, see Understanding NAT, page 9-53. |
Use the IPsec Proposal Editor to create or edit an IPsec proposal for a device in your remote access VPN.
If you select an IOS router, the IPsec Proposal Editor dialog box displays two tabs—General and Dynamic VTI/VRF Aware IPsec. If you select a Catalyst 6500/7600, the FWSM Settings tab is also displayed.
Click the appropriate tab to specify general IPsec settings, configure Dynamic VTI or VRF Aware IPsec, or both, on the selected device, or configure FWSM on a Catalyst 6500/7600 device.
Navigation Path
Open the IPsec Proposal Page, then click Create, or select a proposal from the list and click Edit. The IPsec Proposal Editor dialog box opens, displaying the General tab.
Related Topics
•VPNSM/VPN SPA Settings Dialog Box
•Dynamic VTI/VRF Aware IPsec Tab (IPsec Proposal Editor)
•Configuring an IPsec Proposal on a Remote Access VPN Server, page 10-38
•Creating Interface Role Objects, page 8-34
•Creating AAA Server Group Objects, page 8-22
Field Reference
Table H-63 describes the elements in the General tab of the IPsec Proposal Editor dialog box, if you selected an IOS router or Catalyst 6500/7600.
Note For a description of the elements in the dialog box if you selected a PIX Firewall or ASA device, see Table H-62.
|
|
---|---|
External Interface |
Note Available only if the selected device is an IOS router. The external interface through which remote access clients will connect to the server. An external interface can be defined by a specific interface role. Interface roles are predefined objects. Click Select to open a dialog box that lists all available interfaces and sets of interfaces defined by interface roles, and enables you to create interface role objects. |
Inside VLAN |
Note Available only if the selected device is a Catalyst 6500/7600. The inside VLAN that serves as the inside interface to the VPN Services Module (VPNSM) or VPN SPA. Click Select to open a dialog box in which you define the settings that enable you to configure a VPN Services Module (VPNSM) external interface or a VPN SPA blade on the Catalyst 6500/7600 device. See VPNSM/VPN SPA Settings Dialog Box. For information about configuring a VPNSM, see Procedure for Configuring a VPNSM or VPN SPA/VSPA, page 9-31. For information about configuring a VPN SPA, see Procedure for Configuring a VPNSM or VPN SPA/VSPA, page 9-31. |
Transform Sets |
The transform set or sets to use for your tunnel policy. Transform sets specify which authentication and encryption algorithms are used to secure the traffic in the tunnel. A default transform set is displayed. If you want to use a different transform set or select additional transform sets, click Select to open a dialog box that lists all available transform sets and enables you to create transform set objects. For more information, see Creating IPSec Transform Set Objects, page 8-36. If more than one of your selected transform sets is supported by both peers, the transform set that provides the highest security is used. Note You can select up to six transform sets. For more information, see About Transform Sets, page 9-49. |
Reverse Route Injection |
Select one of the following options to configure Reverse Route Injection (RRI) on the crypto map: •None—To disable the configuration of RRI on the crypto map. •Standard—The default. It creates routes according to the destination information defined in the crypto map access control list (ACL). •Remote Peer—To create two routes, one for the remote endpoint and one for route recursion to the remote endpoint through the interface to which the crypto map is applied. •Remote Peer IP—To specify an interface or address as the explicit next hop to the remote VPN device. Then click Select to open the Network/Hosts Selector, from which you can select the IP address of the remote peer to use as the next hop. Note You can select the Allow Value Override per Device check box to override the default route, if required. For more information, see About Reverse Route Injection, page 9-50. |
Group Policy Lookup/AAA Authorization Method |
The AAA authorization method list that defines the order in which the group policies are searched. Group policies can be configured on the local server or on an external AAA server. Note The default is LOCAL. Click Select to open a dialog box that lists all available AAA server groups and enables you to create AAA server group objects. |
User Authentication (Xauth)/AAA Authentication Method |
The AAA or Xauth user authentication method that defines the order in which user accounts are searched. Note The default authentication method is LOCAL. Xauth allows all Cisco IOS software AAA authentication methods to perform user authentication in a separate phase after the IKE authentication phase 1 exchange. For more information about defining user accounts, see Defining Accounts and Credential Policies, page 13-48. Click Select to open a dialog box that lists all available AAA server groups and enables you to create AAA server group objects. |
Note This dialog box is available only if the selected device is a Catalyst 6500/7600.
Use the VPNSM/VPN SPA Settings dialog box to specify the settings for configuring a VPN Services Module (VPNSM) or a VPN Shared Port Adapter (VPN SPA) on a Catalyst 6500/7600 device.
Note Before you define the VPNSM or VPN SPA settings, you must import your Catalyst 6500/7600 device to the Security Manager inventory and discover its interfaces. For more information, see Procedure for Configuring a VPNSM or VPN SPA/VSPA, page 9-31.
Before you configure VPNSM or VPN SPA with VRF-Aware IPsec on a device, verify that an IPsec proposal with VRF-Aware IPsec and an IPsec proposal without VRF-Aware IPsec were not configured on the device.
For more information about VPNSM or VPNSPA/VSPA, see Procedure for Configuring a VPNSM or VPN SPA/VSPA, page 9-31.
Navigation Path
1. Open the IPsec Proposal Page, then click Create, or select a proposal from the list and click Edit. The IPsec Proposal Editor dialog box opens.
2. In the General tab of the IPsec Proposal Editor dialog box, click Select next to the Inside VLAN field.
Related Topics
•IPsec Proposal Editor Dialog Box (for IOS Routers and Catalyst 6500/7600 Devices)
•Creating Interface Role Objects, page 8-34
Field Reference
Note The Dynamic VTI/VRF Aware IPsec tab is available only when the selected device is a Cisco IOS router or Catalyst 6500/7600.
Use the Dynamic VTI/VRF Aware IPsec tab of the IPsec Proposal Editor to configure VRF Aware IPsec settings (on a Cisco IOS router or Catalyst 6500/7600 device), configure a dynamic virtual interface on a Cisco IOS router, or do both, in your remote access VPN.
For more information, see:
•Understanding VRF-Aware IPsec, page 9-34
•Understanding IPsec Proposals in Remote Access VPNs, page 10-37
Navigation Path
1. Open the IPsec Proposal Page, then click Create, or select a proposal from the list and click Edit.
2. In the IPsec Proposal Editor dialog box, click the Dynamic VTI/VRF Aware IPsec tab.
Related Topics
•Configuring an IPsec Proposal on a Remote Access VPN Server, page 10-38
•Understanding IPsec Tunnel Policies, page 9-48
•Creating User Group Objects, page 8-94
•Creating Interface Role Objects, page 8-34
Field Reference
|
|
---|---|
Enable Dynamic VTI |
When selected, enables Security Manager to implicitly create a dynamic virtual template interface on an IOS router. Note Dynamic VTI can be configured only on IOS routers running Cisco IOS Release 12.4(2)T and later, except 7600 devices. If the device does not support Dynamic VTI, an error message is displayed. For more information, see PVC Dialog Box—QoS Tab, page J-46. |
Enable VRF Settings |
When selected, enables you to configure VRF settings on the device for the selected hub-and-spoke topology. Note To remove VRF settings that were defined for the VPN topology, deselect this check box. |
User Group |
When you configure a remote access VPN server, remote clients must have the same group name as the user group object configured on the VPN server so that they can connect to the device. Select the name of the user group associated with the device. If the user group is not included in the list, click Select to open a dialog box that lists all available user groups and enables you to create a user group object. |
CA Server |
Select the Certification Authority (CA) server to use for managing certificate requests for the device. If the required CA server is not included in the list, click Select to open a dialog box that lists all available CA servers and enables you to create a PKI enrollment object. For more information, see PKI Enrollment Dialog Box, page F-142. For more information about IPsec configuration with CA servers, see Understanding Public Key Infrastructure Policies, page 9-57. |
Virtual Template IP Type |
Available if you selected the Enable Dynamic VTI check box. Specify the virtual template interface to use by clicking one of the following radio buttons: •IP—To use an IP address as the virtual template interface. Then specify the private IP address in the IP field. If required, click Select to open the Network/Hosts selector in which you can select a host to be used as the IP address. •Use Loopback Interface—To use the IP address taken from an existing loopback interface as the virtual template interface. Then, in the Role field, enter the interface or click Select to select it from the list of interface roles. Note A virtual template IP address is configured only on a server in a remote access VPN. |
VRF Solution |
Available if you selected the Enable VRF Settings check box. Click one of the following radio buttons to configure the required VRF solution: •1-Box (IPsec Aggregator + MPLS PE)—One device serves as the Provider Edge (PE) router that does the MPLS tagging of the packets in addition to IPsec encryption and decryption from the Customer Edge (CE) devices. For more information, see VRF-Aware IPsec One-Box Solution, page 9-35. •2-Box (IPsec Aggregator Only)—The PE device does only the MPLS tagging, while the IPsec Aggregator device does the IPsec encryption and decryption from the CEs. For more information, see VRF-Aware IPsec Two-Box Solution, page 9-36. |
VRF Name |
The name of the VRF routing table on the IPsec Aggregator. The VRF name is case-sensitive. |
Route Distinguisher |
The unique identifier of the VRF routing table on the IPsec Aggregator. This unique route distinguisher maintains routing separation for each VPN across the MPLS core to the other PE routers. The identifier can be in either of the following formats: •IP address:X (where X is in the range of 0-999999999). •N:X (where N is in the range of 0-65535, and X is in the range of 0-999999999). Note You cannot override the RD identifier after deploying the VRF configuration to your device. To modify the RD identifier after deployment, you must manually remove it through the device CLI and then deploy again. |
Interface Towards Provider Edge |
Available only if the 2-Box radio button is selected. The VRF forwarding interface on the IPsec Aggregator towards the PE device. Note If the IPsec Aggregator (hub) is a Catalyst VPN service module, you must specify a VLAN. Interfaces and VLANs are predefined interface role objects. If required, click Select to open a dialog box that lists all available interfaces and sets of interfaces defined by interface roles, in which you can make your selection or create interface role objects. |
Routing Protocol |
Available only if the 2-Box radio button is selected. Select the routing protocol to use between the IPsec Aggregator and the PE. If the routing protocol for the secured IGP differs from the routing protocol between the IPsec Aggregator and the PE, select the routing protocol for redistributing the routing to the secured IGP. The options are BGP, EIGRP, OSPF, RIPv2, or Static route. For information about these protocols, see Chapter 12, "Managing IPS Services". |
AS Number |
Available only if the 2-Box radio button is selected. The number to use to identify the autonomous system (AS) area between the IPsec Aggregator and the PE. If the routing protocol for the secured IGP differs from the routing protocol between the IPsec Aggregator and the PE, enter an AS number that identifies the secured IGP into which the routing will be redistributed from the IPsec Aggregator and the PE. This is relevant only if GRE or DMVPN are applied. The AS number must be between 1 and 65535. |
Process Number |
Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF. The routing process ID number to use to configure the routing between the IPsec Aggregator and the PE. The process number must be between 1 and 65535. |
OSPF Area ID |
Available only if the 2-Box radio button is selected, and if the selected routing protocol is OSPF. The ID number of the area in which the packet belongs. You can enter any number from 0 to 4294967295. Note All OSPF packets are associated with a single area, so all devices must have the same area ID number. |
Redistribute Static Route |
Available only if the 2-Box radio button is selected, and for any selected routing protocol other than Static route. When selected, enables static routes to be advertised in the routing protocol configured on the IPsec Aggregator towards the PE device. Note If this check box is deselected and Enable Reverse Route Injection is enabled (default) for the IPsec proposal, static routes are still advertised in the routing protocol on the IPsec Aggregator. |
Next Hop IP Address |
Available only if the 2-Box radio button is selected and if the selected routing protocol is Static. The IP address of the provider edge device (or the interface that is connected to the IPSec aggregator). |
Use the User Group Policy page to specify user groups for your remote access IPSec VPN server.
Note The User Group Policy page is available if the selected device is a Cisco IOS router, PIX 6.3 Firewall, or Catalyst 6500 /7600 device.
Navigation Path
1. In Device View, select the desired device.
2. Select Remote Access VPN > IPSec VPN > User Groups from the Policy selector.
Note You can also open the User Group Policy page from Policy view. For more information, see Managing Shared Remote Access VPN Policies in Policy View, page 10-62.
Related Topics
•Remote Access VPN Configuration Wizard
•Understanding User Group Policies (IOS), page 10-41
•Configuring User Group Policies, page 10-42
•Creating User Group Objects, page 8-94
Field Reference
|
|
---|---|
Available User Groups |
Lists the predefined user groups available for selection. Select the required user groups and click >>. In Security Manager, user groups are objects. If the required user group is not in the list, click Create to open the User Groups Editor dialog box, which enables you to create or edit a user group object. See Add or Edit User Group Dialog Box, page F-187. |
Selected User Groups |
Displays the selected user groups. To remove a user group from this list, select it and click <<. To modify the properties of a user group, select it and click Edit. |
>> button |
Click to move a selected user group from the Available User Groups list to the Selected User Groups list. |
<< button |
Click to remove a selected user group from the Selected User Groups list to the Available User Groups list. |
Save button |
Available only if you opened this page from the Remote Access VPN Policies folder, and if you are authorized to modify this policy. Saves your changes to the server but keeps them private. Note To publish your changes, click the Submit button on the toolbar. |
Use the SSL VPN Access Policy page to configure access parameters for your SSL VPN. For information about configuring an Access policy, see Configuring an Access Policy, page 10-44.
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > SSL VPN > Access from the Policy selector.
Related Topics
•Policy View—Assignments Tab, page D-17
•Access Interface Configuration Dialog Box
•Understanding Interface Role Objects, page 8-33
•Creating Port List Objects, page 8-72
Field Reference
|
|
---|---|
Access Interface Table |
The Access Interface table displays the access settings for each interface. •To configure access on an interface, click the Add button (see Access Interface Configuration Dialog Box). •To edit access settings for an interface, select the interface and click the Edit button (see Access Interface Configuration Dialog Box). •To delete access settings for an interface, select the interface and click the Delete button. |
Port Number |
The port to use for SSL VPN sessions. The default port is 443, for HTTPS traffic; the range is 1024 through 65535. If you change the port number, all current SSL VPN connections terminate, and current users must reconnect. Note If HTTP port redirection is enabled, the default HTTP port number is 80. Enter the name of a port list, or click Select to open the Port List Selector from which you can make your selection, or create a port list object. A port list object is a named definition of one or more port ranges that you use when defining service objects. |
DTLS Port Number |
Specify a separate UDP port for DTLS connections. The default port is 443. Enter the name of a port list, or click Select to open the Port List Selector from which you can make your selection, or create a port list object. A port list object is a named definition of one or more port ranges that you use when defining service objects. For details about DTLS, see Understanding SSL VPN Client Settings, page 10-54. |
Fallback Trustpoint |
Enter or select a trustpoint to use for interfaces that do not have a trustpoint assigned. |
Default Idle Timeout |
Amount of time, in seconds, that an SSL VPN session can be idle before the security appliance terminates it. This value applies only if the Idle Timeout value in the group policy for the user is set to zero (0), which means there is no timeout value; otherwise the group policy Idle Timeout value takes precedence over the timeout you configure here. The minimum value you can enter is 60 seconds (1 minute). The default is 30 minutes (1800 seconds). Maximum is 24 hours (86400 seconds). We recommend that you set this attribute to a short time period. This is because a browser set to disable cookies (or one that prompts for cookies and then denies them) can result in a user not connecting but nevertheless appearing in the sessions database. If the Simultaneous Logins attribute for the group policy is set to one, the user cannot log back in because the database indicates that the maximum number of connections already exists. Setting a low idle timeout removes such phantom sessions quickly, and lets a user log in again. |
Max Session Limit |
The maximum number of SSL VPN sessions allowed. Be aware that the different ASA models support SSL VPN sessions as follows: ASA 5510 supports a maximum of 150; ASA 5520 maximum is 750; ASA 5540 maximum is 2500. |
Allow Users to Select Connection Profile in Portal Page |
When selected, includes a list of configured Connection Profiles (tunnel groups) on the SSL VPN end-user interface, from which users can select a profile when they log in. When deselected, the user cannot select a profile on login. |
Enable AnyConnect Access |
When selected, allows SSL VPN client connections. For details about AnyConnect SSL VPN clients, see Understanding SSL VPN Client Settings, page 10-54. |
Enable AnyConnect Essentials |
When selected, enables the AnyConnect Essentials feature. For details about AnyConnect Essentials SSL VPN clients, see Understanding SSL VPN Client Settings, page 10-54. |
Use the Access Interface Configuration dialog box to create or edit SSL VPN access on a security appliance interface.
Navigation Path
Open the SSL VPN Access Policy Page, then click Add Row below the table, or select a row in the table and click Edit Row.
Related Topics
•Configuring an Access Policy, page 10-44
•Understanding Interface Role Objects, page 8-33
Field Reference
Use the SSL VPN Other Settings page to define global settings for caching, content rewriting, character encoding, proxy, and memory size definitions that apply to devices in your VPN topology.
For more information, see Configuring Other SSL VPN Settings, page 10-45.
These tabs are available on the SSL VPN Other Settings page.
Navigation Path
1. In Device View, select an ASA device.
2. Select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
Related Topics
•Policy View—Assignments Tab, page D-17
Use the Performance tab of the SSL VPN Other Settings page to specify caching properties that enhance SSL VPN performance.
Navigation Path
The Performance tab appears when you open the SSL VPN Other Settings Page. You can also open it by clicking the Performance tab from any other tab on the SSL VPN Global Settings page.
Related Topics
•Defining Performance Settings, page 10-46
Field Reference
Use the Content Rewrite tab of the SSL VPN Other Settings page to enable the security appliance to create rewrite rules that permit users to browse certain sites and applications without going through the security appliance itself.
Navigation Path
Open the SSL VPN Other Settings Page, then click the Content Rewrite tab.
Related Topics
•Defining Content Rewrite Rules, page 10-47
Field Reference
|
|
---|---|
Rule Number |
An integer that indicates the position of the rule in the list. The security appliance searches rewrite rules by order number, starting with the lowest, and applies the first rule that matches. |
Rule Name |
The name of the application for which the rule applies. |
Resource Mask |
The application or resource for the rule. |
Enable |
Indicates whether the content rewrite rule is enabled or not on the security appliance. |
Create button |
Opens a dialog box that lets you add a content rewrite rule to the list. See Add/Edit Content Rewrite Dialog Box. |
Edit button |
Opens a dialog box that lets you edit a selected content rewrite rule in the table. See Add/Edit Content Rewrite Dialog Box. |
Delete button |
Deletes one or more selected content rewrite rules from the table. |
Use the Add/Edit Content Rewrite dialog box to configure the rewriting engine that includes advanced elements such as JavaScript, VBScript, Java, and multi-byte characters to proxy HTTP traffic over a SSL VPN connection.
Navigation Path
Open the Content Rewrite Tab, then click Create below the table, or select a row in the table and click Edit.
Related Topics
•Defining Content Rewrite Rules, page 10-47
Field Reference
Use the Encoding tab of the SSL VPN Other Settings page to specify the character set to encode in SSL VPN portal pages to be delivered to remote users. By default, the encoding type set on the remote browser determines the character set for SSL VPN portal pages, so you need to set the character encoding only if it is necessary to ensure proper encoding on the browser.
Navigation Path
Open the SSL VPN Other Settings Page, then click the Encoding tab.
Related Topics
•Defining Encoding Rules, page 10-49
Field Reference
|
|
---|---|
Global SSL VPN Encoding Type |
Select the attribute that determines the character encoding that all SSL VPN portal pages inherit, except for those portal pages delivered from the CIFS servers listed in the table. By default, the security appliance applies the "Global SSL VPN Encoding Type" to pages from Common Internet File System servers. You can select one of the following values: •big5 •gb2312 •ibm-850 •iso-8859-1 •shift_jis Note If you are using Japanese Shift_jis Character encoding, click Do not specify in the Font Family area of the associated Select Page Font pane to remove the font family. •unicode •windows-1252 •none If you choose None or specify a value that the browser on the SSL VPN client does not support, it uses its own default encoding. You can enter a string of up to 40 characters, and equal to one of the valid character sets identified in http://www.iana.org/assignments/character-sets. You can use either the name or the alias of a character set listed on that page. The string is case-insensitive. The command interpreter converts upper-case to lower-case when you save the security appliance configuration. |
Common Internet File System Server |
The name or IP address of each CIFS server for which the encoding requirement differs from the "Global SSL VPN Encoding Type" attribute setting. |
Encoding Type |
The character encoding override for the associated CIFS server. |
Create button |
Opens a dialog box that lets you add a CIFS server for which the encoding requirement differs from the "Global SSL VPN Encoding Type" attribute setting. See Add/Edit File Encoding Dialog Box. |
Edit button |
Opens a dialog box that lets you edit the settings of a selected CIFS server in the table. See Add/Edit File Encoding Dialog Box. |
Delete button |
Select the rows of one or more exceptions to the global encoding type attribute setting, then click to remove from the list. |
Use the Add/Edit File Encoding dialog box to configure CIFS servers and associated character encoding, to override the value of the "Global SSL VPN Encoding Type" attribute.
Navigation Path
Open the Encoding Tab, then click Create below the table, or select a row in the table and click Edit.
Related Topics
•Defining Encoding Rules, page 10-49
Field Reference
Use the Proxy tab of the SSL VPN Other Settings page to configure the security appliance to terminate HTTPS connections and forward HTTP/HTTPS requests to HTTP and HTTPS proxy servers. On this tab, you can also configure the security appliance to perform minimal content rewriting, and to specify the types of content to rewrite—external links and/or XML.
Navigation Path
Open the SSL VPN Other Settings Page, then click the Proxy tab.
Related Topics
•Defining Proxies and Proxy Bypass Rules, page 10-50
•Understanding Network/Host Objects, page 8-65
•Creating Port List Objects, page 8-72
Field Reference
|
|
---|---|
Proxy Type |
Select the type of external proxy server to use for SSL VPN connections as follows: •HTTP/HTTPS Proxy—Enables you to use an external proxy server to handle HTTP or HTTPS requests and activates all the fields beneath it that specify HTTP or HTTPS server properties. •Proxy using PAC—Enables you to specify a proxy autoconfiguration (PAC) file to download from an HTTP proxy server to a browser. |
HTTP/HTTPS Proxy Servers |
|
Enable HTTP Proxy Server |
Click this check box to enable the HTTP proxy server. |
HTTP Proxy Server |
Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list. The IP address of the external HTTP proxy server to which the security appliance forwards HTTP connections. HTTP proxy servers are predefined network objects. You can click Select to open the Networks/Hosts Selector dialog box from which you can make your selection(s), and in which you can create network host objects. |
HTTP Proxy Port |
Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list. The port of the external HTTP proxy server to which the security appliance forwards HTTP connections. You can click Select to open the Port List Selector dialog box from which you can make your selection, or create a port list object. A port list object is a named definition of one or more port ranges that you use when defining service objects. |
Exception Address List |
Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list. A URL or a comma-delimited list of several URLs to exclude from those that can be sent to the HTTP proxy server. The string does not have a character limit, but the entire command cannot exceed 512 characters. You can specify literal URLs or use the following wildcards: •* to match any string, including slashes (/) and periods (.). You must accompany this wildcard with an alphanumeric string. •? to match any single character, including slashes and periods. •[x-y] to match any single character in the range of x and y, where x represents one character and y represents another character in the ANSI character set. •[!x-y] to match any single character that is not in the range. You can click Select to open the URL List Selector from which you can select the required URL List from a list of URL List objects. See Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 8-84. |
Authentication User Name |
Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list. The username that is used as the keyword to accompany each HTTP proxy request to provide basic, proxy authentication. |
Authentication Password |
The password to send to the proxy server with each HTTP request. |
Confirm |
Confirms the password entered in the Authentication Password field. The values in the Authentication Password and Confirm fields must match before you can save these settings. |
Enable HTTPS Proxy Server |
Click this check box to enable the HTTPS proxy server. |
HTTPS Proxy Server |
Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list. The IP address of the external HTTPS proxy server to which the security appliance forwards HTTP connections. HTTPS proxy servers are predefined network objects. You can click Select to open the Networks/Hosts Selector dialog box from which you can make your selection(s), and in which you can create network host objects. |
HTTPS Proxy Port |
Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list. The port of the external HTTPS proxy server to which the security appliance forwards HTTPS connections. You can click Select to open the Port List Selector dialog box from which you can make your selection, or create a port list object. |
Exception Address List |
Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list. A URL or a comma-delimited list of several URLs to exclude from those that can be sent to the HTTPS proxy server. The string does not have a character limit, but the entire command cannot exceed 512 characters. You can specify literal URLs or use the following wildcards: •* to match any string, including slashes (/) and periods (.). You must accompany this wildcard with an alphanumeric string. •? to match any single character, including slashes and periods. •[x-y] to match any single character in the range of x and y, where x represents one character and y represents another character in the ANSI character set. •[!x-y] to match any single character that is not in the range. You can click Select to open the URL List Selector from which you can select the required URL List from a list of URL List objects. See Configuring SSL VPN Bookmark Lists for ASA and IOS Devices, page 8-84. |
Authentication User Name |
Available only if you selected HTTP/HTTPS Proxy from the Proxy Server list. The username that is used as the keyword to accompany each HTTPS proxy request to provide basic, proxy authentication. |
Authentication Password |
The password to send to the proxy server with each HTTPS request. |
Confirm |
Confirms the password entered in the Authentication Password field. The values in the Authentication Password and Confirm fields must match before you can save these settings. |
Proxy using PAC |
|
Specify Proxy Auto Config file URL |
Available only if you selected Proxy using PAC from the Proxy Server list. When selected, enables you to specify a proxy autoconfiguration (PAC) file to download to the browser. Once downloaded, the PAC file uses a JavaScript function to identify a proxy for each URL. Enter http:// and type the URL of the proxy autoconfiguration file into the adjacent field. If you omit the http:// portion, the security appliance ignores it. This option is an alternative to specifying the IP address of the HTTP proxy server |
Interface |
The ASA interface configured for proxy bypass. |
Port |
The port configured for proxy bypass. |
Path Mask |
The URL path to match for proxy bypass. A path is the text in a URL that follows the domain name. For example, in the URL www.mycompany.com/hrbenefits, hrbenefits is the path. Similarly, for the URL www.mycompany.com/hrinsurance, hrinsurance is the path. If you want to use proxy bypass for all hr sites, you can avoid using the command multiple times by using the * wildcard as follows: /hr*. |
URL |
The target URL for proxy bypass. |
Create button |
Opens a dialog box that lets you add a proxy bypass rule to the table. See Add/Edit Proxy Bypass Dialog Box. |
Edit button |
Opens a dialog box that lets you edit the settings of a selected proxy bypass rule in the table. See Add/Edit Proxy Bypass Dialog Box. |
Delete button |
Deletes one or more proxy bypass rules selected in the table. |
Use the Add/Edit Proxy Bypass dialog box to set proxy bypass rules when the security appliance performs little or no content rewriting.
Navigation Path
Open the Proxy Tab, then click Create below the table, or select a row in the table and click Edit.
Related Topics
•Defining Proxies and Proxy Bypass Rules, page 10-50
•Understanding Interface Role Objects, page 8-33
•Creating Port List Objects, page 8-72
Field Reference
Clientless SSL VPN must be enabled on the security appliance to provide remote access to the plug-ins. Use the Plug-in tab of the SSL VPN Other Settings page to view the currently configured browser plug-ins, and create new plug-ins or edit the existing ones,.
Navigation Path
Open the SSL VPN Other Settings Page, then click the Plug-in tab. You can also open it by clicking the Plug-in tab from any other tab on the SSL VPN Other Settings page.
Related Topics
•Understanding Plug-ins, page 10-52
•Defining Browser Plug-ins, page 10-53
•Understanding and Managing SSL VPN Support Files, page 10-5
Field Reference
|
|
---|---|
Plug-in |
The type of plug-in based on the protocol service that the plug-in provides to the user. The plug-in is used in remote browsers in Clientless SSL VPN sessions. |
Plug-in File |
The name of the File Object that identifies the plug-in file. |
Create button |
Opens a dialog box that lets you add a browser plug-in. See Add/Edit Plug-in Entry Dialog Box. |
Edit button |
Opens a dialog box that lets you edit the settings of the selected plug-in. See Add/Edit Plug-in Entry Dialog Box. |
Delete button |
Select the rows of one or more browser plug-ins, then click to remove from the list. |
Use the Add/Edit Plug-in Entry dialog box to add or edit browser plug-ins to download to remote browsers in clientless SSL VPN sessions.
Navigation Path
Open the Plug-in Tab, then click Create below the table, or select a row in the table and click Edit.
Related Topics
•Understanding Plug-ins, page 10-52
•Defining Browser Plug-ins, page 10-53
•Understanding and Managing SSL VPN Support Files, page 10-5
Field Reference
|
|
---|---|
Plug-in |
The type of plug-in file based on the protocol to be used for the imported plug-in in URLs launched from the SSL VPN portal. Select one of the following options from the list: •Remote Desktop (RDP)—Provides access to Remote Desktop Protocol services using the rdp-plugin.jar plug-in file. •Secure Shell (SSH), Telnet—Provides access to Secure Shell and Telnet services using the ssh-plugin.jar plug-in file. •VNC—Provides access to Virtual Network Computing services using the vnc-plugin.jar plug-in file. •Citrix (ICA)—Provides access to Citrix MetaFrame services using the ica-plugin.jar plug-in file. |
Plug-in File |
The File Object that identifies the plug-in file. Enter the name of the File Object or click Select to select an object. You can also create the File Object from the object selector. For more information on creating File Objects, see Creating File Objects, page 8-31. |
Use the SSL VPN Client Settings tab to specify the path of the SSL VPN client image and profile files to be downloaded to the remote PC and the size of the cache memory to be allocated for SSL VPN client and Cisco Secure Desktop (CSD) images on the device.
Navigation Path
Open the SSL VPN Other Settings Page, then click the Client Settings tab. You can also open it by clicking the Client Settings tab from any other tab on the SSL VPN Other Settings page.
Related Topics
•Understanding SSL VPN Client Settings, page 10-54
•Configuring SSL VPN Client Settings, page 10-55
•Understanding and Managing SSL VPN Support Files, page 10-5
Field Reference
Use the Add/Edit AnyConnect Client Image dialog box to create or edit a package file as the client image, and establish the order that the security appliance downloads the image to the remote PC.
Navigation Path
Open the SSL VPN Client Settings Tab, then click Create below the AnyConnect Client Image table, or select a row in the table and click Edit.
Related Topics
•Understanding SSL VPN Client Settings, page 10-54
•Configuring SSL VPN Client Settings, page 10-55
•Understanding and Managing SSL VPN Support Files, page 10-5
Field Reference
|
|
---|---|
AnyConnect Client Image |
The name of the File Object that identifies the Anyconnect client. Click Select to select an object. You can also create the File Object from the object selector. For more information, see Creating File Objects, page 8-31. |
Image Order |
The order in which the security appliance downloads the client images to the remote PC. It downloads the image at the top of the table first. Therefore, you should enter a lower value for the image used by the most commonly-encountered operating system. |
Regular Expression |
Regular expression for the AnyConnect image. Enter a name of an existing regular expression or click Select to select or create a new one. |
Use the Add/Edit AnyConnect Client Profile dialog box to create a new profile or edit the path of an existing one. These profiles display host information in the AnyConnect VPN Client user interface. After creating a profile, it is loaded on the security appliance from Security Manager and you must configure the security appliance to download it to remote client PCs.
Navigation Path
Open the SSL VPN Client Settings Tab, then click Create below the AnyConnect Client Profile table, or select a row in the table and click Edit.
Related Topics
•Understanding SSL VPN Client Settings, page 10-54
•Configuring SSL VPN Client Settings, page 10-55
•Understanding and Managing SSL VPN Support Files, page 10-5
Field Reference
|
|
---|---|
AnyConnect Profile Name |
The name of the Anyconnect client profile to be downloaded to the security appliance. |
AnyConnect Client Profile |
The name of the File Object that identifies the Anyconnect client profile XML file. Click Select to select an object. You can also create the File Object from the object selector. For more information, see Creating File Objects, page 8-31. |
The Advanced tab lets you configure the memory, on-screen keyboard, and internal password features on ASA devices.
Navigation Path
Open the SSL VPN Other Settings Page, then click the Advanced tab.
Related Topics
•Defining Advanced Settings, page 10-56
Field Reference
Use the SSL VPN Shared License page to configure your SSL VPN Shared License.
Navigation Path
1. In Device View, select an ASA device with version 8.2 software or higher.
2. Select Remote Access VPN > SSL VPN > Shared License (8.2) from the Policy selector.
Related Topics
•Understanding SSL VPN Shared Licenses (ASA), page 10-57
•Configuring an ASA Device as a Shared License Client, page 10-57
•Configuring an ASA Device as a Shared License Server, page 10-58
Field Reference
Use this page to view the SSL VPN connection policies defined on your IOS router. From this page, you can create, edit, or delete SSL VPN policies.
Navigation Path
1. In Device View, select an IOS device.
2. Select Remote Access VPN > SSL VPN from the Policy selector.
Related Topics
•Configuring an SSL VPN Policy (IOS), page 10-58
•SSL VPN Context Editor Dialog Box (IOS)
Field Reference
|
|
---|---|
Filter |
Click the arrow to display the filtering bar, which enables you to filter the information displayed in the table. See Filtering Tables, page 2-16. |
Name |
The name of the context that defines the virtual configuration of the SSL VPN. Note To simplify the management of multiple context configurations, the context name should be the same as the domain or virtual hostname. |
Gateway |
The gateway defined for the SSL VPN connection. |
Domain |
The domain or virtual hostname of the SSL VPN connection. |
Status |
The current status of the SSL VPN connection—In Service or Out of Service. |
Policies |
The user groups associated with the SSL VPN connection. |
Create button |
Click to open the SSL VPN Context Editor to create an SSL VPN policy. See SSL VPN Context Editor Dialog Box (IOS). |
Edit button |
Select a row of an SSL VPN policy in the table, then click to open the SSL VPN Context Editor to edit its properties. See SSL VPN Context Editor Dialog Box (IOS). |
Delete button |
Select the rows of one or more SSL VPN policies, then click to remove from the list. |
Use this dialog box to create or modify an SSL VPN policy (context). For more information, see Configuring an SSL VPN Policy (IOS), page 10-58.
These tabs are available on the SSL VPN Context Editor dialog box:
Navigation Path
Open the SSL VPN Policy Page (IOS), then click Create, or select a policy in the table and click Edit. For more information, see Table H-83. The SSL VPN Context Editor opens with the General tab displayed.
Use the General tab of the SSL VPN Context Editor dialog box to define or edit the general settings required for an SSL VPN policy. General settings include specifying the gateway, domain, AAA servers for accounting and authentication, and user groups.
Navigation Path
The General tab appears when you open the SSL VPN Context Editor Dialog Box (IOS). You can also open it by clicking the General tab from any other tab in the SSL VPN Context Editor dialog box.
Related Topics
•SSL VPN Context Editor Dialog Box (IOS)
•Creating SSL VPN Gateway Objects, page 8-90
•Understanding AAA Server and Server Group Objects, page 8-15
•Creating User Group Objects, page 8-94
Field Reference
|
|
---|---|
Enable SSL VPN |
When selected, activates the SSL VPN connection, putting it "In Service". When deselected, puts the SSL VPN connection "Out of Service". |
Name |
The name of the context that defines the virtual configuration of the SSL VPN. Note To simplify the management of multiple context configurations, the context name is the same as the domain or virtual hostname. |
Gateway |
The gateway to be used in the SSL VPN policy. You can click Select to open a dialog box from which you can select the gateway from a list of SSL VPN gateway objects. A gateway object provides the interface and port configuration for an SSL VPN connection. |
Domain |
The domain or virtual hostname of the SSL VPN connection. |
Portal Page URL |
The URL that will appear on the Portal page enabling a user to access the SSL VPN gateway. |
Authentication Server Group |
The authentication server group (LOCAL if the users are defined on the local device). You can click Select to open a dialog box from which you can select an AAA server group from a list of AAA server group objects. |
Authentication Domain |
A list or method for SSL VPN remote user authentication. Note If a list or method is not specified, the SSL VPN gateway uses global AAA parameters for remote-user authentication. |
Accounting Server Group |
The accounting server group. You can click Select to open a dialog box from which you can select an AAA server group from a list of AAA server group objects. |
User Groups |
A table listing the user group(s) that will be used in your SSL VPN policy. User groups define the resources available to users when connecting to an SSL VPN gateway. Using the buttons below the table, you can add user groups, edit their properties, and delete them from the table. |
Create button |
Click to add a user group(s) to the User Groups table. The User Groups Selector Page opens, from which you can select the required user group(s). If the required user group is not included in the Selector, click Create to open the Add User Group dialog box in which you can create a new user group object. |
Edit button |
Select a user group in the User Groups table, then click Edit to modify its properties. The Edit User Group dialog box opens, enabling you to edit the user group object. |
Delete button |
Select the rows of one or more user groups, then click to remove from the table. |
Use the Portal Page tab of the SSL VPN Context Editor dialog box to define or edit the customization of the login page and portal page for the SSL VPN policy.
Navigation Path
Open the SSL VPN Context Editor Dialog Box (IOS), then click the Portal Page tab.
Related Topics
•Configuring the Portal Page for an IOS SSL VPN Policy, page 10-60
Field Reference
Use the Secure Desktop tab to configure the Cisco Secure Desktop (CSD) software on your selected IOS router.
Cisco Secure Desktop (CSD) provides a single, secure location for session activity and removal on the client system, ensuring that sensitive data is shared only for the duration of an SSL VPN session. For more information, see Configuring the Secure Desktop Software for an IOS SSL VPN Policy, page 10-61.
Note The Secure Desktop Client software must be installed and activated on a device in order for an SSL VPN policy to work properly.
Navigation Path
Open the SSL VPN Context Editor Dialog Box (IOS), then click the Secure Desktop tab.
Related Topics
•Configuring Cisco Secure Desktop Policies on ASA Devices, page 10-26
•SSL VPN Context Editor Dialog Box (IOS)
•Creating Cisco Secure Desktop Configuration Objects, page 8-73
Field Reference
|
|
---|---|
Enable Cisco Secure Desktop |
When selected, enables CSD on the device. |
Cisco Secure Desktop Configuration |
Specify the name of the Cisco Secure Desktop policy object that contains the configuration you want to deploy. Click Select to select an existing object, or to create a new one. For more information, see Creating Cisco Secure Desktop Configuration Objects, page 8-73. |
Use the Advanced tab of the SSL VPN Context Editor dialog box to define or edit the maximum number of SSL VPN users, and other advanced settings required for an SSL VPN policy.
Navigation Path
Open the SSL VPN Context Editor Dialog Box (IOS), then click the Advanced tab.
Related Topics
•Configuring Advanced Settings for an IOS SSL VPN Policy, page 10-61
•SSL VPN Context Editor Dialog Box (IOS)
Field Reference
|
|
---|---|
Maximum Number of Users |
The maximum number of SSL VPN user sessions that can be configured. You can specify a value in the range 1-1000. |
VRF Name |
If Virtual Routing Forwarding (VRF) is configured on the device, the name of the VRF instance that is associated with the SSL VPN context. Note Only one VRF instance can be associated with each SSL VPN context. For information about VRF, see Understanding VRF-Aware IPsec, page 9-34. |