Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
6-6
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 6 VPN Wizards
IPsec IKEv1 Remote Access Wizard
The default, 3DES, is more secure than DES but requires more processing for encryption and
decryption. Similarly, the AES options provide increased security but also require increased
processing.
Authentication—Choose the hash algorithm used for authentication and ensuring data integrity. The
default is SHA. MD5 has a smaller digest and is considered to be slightly faster than SHA. There
has been a demonstrated successful (but extremely difficult) attack against MD5. However, the
Keyed-Hash Message Authentication Code (HMAC) version used by the ASA prevents this attack.
Diffie-Hellman Group—Choose the Diffie-Hellman group identifier, which the two IPsec peers use
to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit
Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).
Note The default value for the VPN 3000 Series Concentrator is MD5. A connection between the ASA and
the VPN Concentrator requires that the authentication method for Phase I and II IKE negotiations be the
same on both sides of the connection.
IPsec Settings (Optional)
Use the IPsec Settings (Optional) pane to identify local hosts/networks which do not require address
translation. By default, the ASA hides the real IP addresses of internal hosts and networks from outside
hosts by using dynamic or static Network Address Translation (NAT). NAT minimizes risks of attack by
untrusted outside hosts but may be improper for those who have been authenticated and protected by
VPN.
For example, an inside host using dynamic NAT has its IP address translated by matching it to a
randomly selected address from a pool. Only the translated address is visible to the outside. Remote VPN
clients that attempt to reach these hosts by sending data to their real IP addresses cannot connect to these
hosts, unless you configure a NAT exemption rule.
Note If you want all hosts and networks to be exempt from NAT, configure nothing on this pane. If you have
even one entry, all other hosts and networks are subject to NAT.
Fields
Interface—Choose the name of the interface that connects to the hosts or networks you have
selected.
Exempt Networks—Select the IP address of the host or network that you want to exempt from the
chosen interface network.
Enable split tunneling—Select to have traffic from remote access clients destined for the public
Internet sent unencrypted. Split tunneling causes traffic for protected networks to be encrypted,
while traffic to unprotected networks is unencrypted. When you enable split tunneling, the ASA
pushes a list of IP addresses to the remote VPN client after authentication. The remote VPN client
encrypts traffic to the IP addresses that are behind the ASA. All other traffic travels unencrypted
directly to the Internet without involving the ASA.
Enable Perfect Forwarding Secrecy (PFS)—Specify whether to use Perfect Forward Secrecy, and the
size of the numbers to use, in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each
new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys
unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys.