69-30
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 69 General VPN Setup
ACL Manager
• Add ACE—Displays the Add Web Type ACE dialog box, in which you specify parameters for the
named ACL. This button is active only if there are one or more entries in the Web Type ACL table.
• Edit ACE/Delete—Click to edit or delete the highlighted ACL or ACE. When you delete an ACL,
you also delete all of its ACEs. No warning or undelete.
• Move Up/Move Down—Highlight an ACL or ACE and click these buttons to change the order of
ACLs and ACEs. The ASA checks ACLs and their ACEs in priority order according to their position
in the ACLs list box until it finds a match.
Modes
The following table shows the modes in which this feature is available:
Add/Edit Internal Group Policy > IPsec Client
The Add or Edit Group Policy > IPsec dialog box lets you specify tunneling protocols, filters, connection
settings, and servers for the group policy being added or modified.
Fields
• Re-Authentication on IKE Re-key—Enables or disables reauthentication when IKE re-key occurs,
unless the Inherit check box is checked. The user has 30 seconds to enter credentials, and up to three
attempts before the SA expires at approximately two minutes and the tunnel terminates.
• Allow entry of authentication credentials until SA expires—Allow users the time to reenter
authentication credentials until the maximum lifetime of the configured SA.
• IP Compression—Enables or disables IP Compression, unless the Inherit check box is checked.
• Perfect Forward Secrecy—Enables or disables perfect forward secrecy (PFS), unless the Inherit
check box is selected. PFS ensures that the key for a given IPsec SA was not derived from any other
secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the
attacker would not be able to derive any other key. If PFS were not enabled, someone could
hypothetically break the IKE SA secret key, copy all the IPsec protected data, and then use
knowledge of the IKE SA secret to compromise the IPsec SAs set up by this IKE SA. With PFS,
breaking IKE would not give an attacker immediate access to IPsec. The attacker would have to
break each IPsec SA individually.
• Store Password on Client System—Enables or disables storing the password on the client system.
Note Storing the password on a client system can constitute a potential security risk.
• IPsec over UDP—Enables or disables using IPsec over UDP.
• IPsec over UDP Port—Specifies the UDP port to use for IPsec over UDP.
• Tunnel Group Lock—Enables locking the tunnel group you select from the list, unless the Inherit
check box or the value None is selected.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——