Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
69-115
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 69 General VPN Setup
Easy VPN Remote
Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the Easy VPN
Client private network from those on the enterprise network. The Easy VPN Client performs Port
Address Translation (PAT) for all VPN traffic for its inside hosts. IP address management is neither
required for the Easy VPN Client inside interface or the inside hosts.
NEM makes the inside interface and all inside hosts routable across the enterprise network over the
tunnel. Hosts on the inside network obtain their IP addresses from an accessible subnet (statically or via
DHCP) pre-configured with static IP addresses. PAT does not apply to VPN traffic in NEM. This mode
does not require a VPN configuration for each client. The Cisco ASA 5505 configured for NEM mode
supports automatic tunnel initiation. The configuration must store the group name, user name, and
password. Automatic tunnel initiation is disabled if secure unit authentication is enabled.
The network and addresses on the private side of the Easy VPN Client are hidden, and cannot be accessed
directly.
Fields
Enable Easy VPN Remote—Enables the Easy VPN Remote feature and makes available the rest of
the fields on this dialog box for configuration.
Mode—Selects either Client mode or Network extension mode.
Client mode—Uses Port Address Translation (PAT) mode to isolate the addresses of the inside
hosts, relative to the client, from the enterprise network.
Network extension mode—Makes those addresses accessible from the enterprise network.
Note If the Easy VPN Remote is using NEM and has connections to secondary servers,
establish an ASDM connection to each headend and check Enable Reverse Route
Injection on the Configuration > VPN > IPsec > IPsec Rules > Tunnel Policy (Crypto
Map) - Advanced dialog box to configure dynamic announcements of the remote
network using RRI.
Auto connect—The Easy VPN Remote establishes automatic IPsec data tunnels unless both of
the following are true: Network extension mode is configured locally, and split-tunneling is
configured on the group policy pushed to the Easy VPN Remote. If both are true, checking this
attribute automates the establishment of IPsec data tunnels. Otherwise, this attribute has no
effect.
Group Settings—Specifies whether to use a pre-shared key or an X.509 certificate for user
authentication.
Pre-shared key—Enables the use of a pre-shared key for authentication and makes available the
subsequent Group Name, Group Password, and Confirm Password fields for specifying the
group policy name and password containing that key.
Group Name—Specifies the name of the group policy to use for authentication.
Group Password—Specifies the password to use with the specified group policy.
Confirm Password—Requires you to confirm the group password just entered.
X.509 Certificate—Specifies the use of an X.509 digital certificate, supplied by a Certificate
Authority, for authentication.
Select Trustpoint—Lets you select a trustpoint, which can be an IP address or a hostname, from
the drop-down list. To define a trustpoint, click the link to Trustpoint(s) configuration at the
bottom of this area.