Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
6-9
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 6 VPN Wizards
AnyConnect VPN Wizard
Fields
IKE version 1
IKE Policy—Specify IKEv1 authentication methods.
IPsec Proposal—Specify IPsec encryption algorithms.
IKE version 2
IKE Policy—Specify IKEv2 authentication methods.
IPsec Proposal—Specify IPsec encryption algorithms.
Miscellaneous
You can enable or disable Perfect Forward Secrecy (PFS). PFS ensures that the key for a given IPsec SA
was not derived from any other secret. PFS makes it difficult to break a key by deriving from other keys.
Fields
Enable inbound IPsec sessions to bypass interface access lists—Enable IPsec authenticated inbound
sessions to always be permitted through the security appliance (that is, without a check of the
interface access-list statements). Be aware that the inbound sessions bypass only the interface ACLs.
Configured group-policy, user, and downloaded ACLs still apply.
Enable Perfect Forward Secrecy (PFS)—Ensures the key for a given IPsec SA was not derived from
any other secret.
Diffie-Hellman Group—Choose the Diffie-Hellman group identifier, which the two IPsec peers use
to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit
Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).
Exempt ASA side host/network from address translation—Use the drop-down to choose a host or
network to be excluded from address translation.
Summary
Provides a summary of your selections from the previous wizard windows. The supported VPN protocols
are included in the summary as well as the IKE version chosen on the VPN Connection Type window.
AnyConnect VPN Wizard
Use this wizard to configure ASA to accept VPN connections from the AnyConnect VPN client. This
wizard configures either IPsec (IKEv2) or SSL VPN protocols for full network access. The ASA
automatically uploads the AnyConnect VPN client to the end user’s device when a VPN connection is
established.
Warn the user that running the wizard does not mean the IKEv2 profile automatically applies in
predeployment scenarios. Either provide a pointer or the steps necessary to successfully predeploy
IKEv2.