Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
69-14
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 69 General VPN Setup
Add AAA Server Group
Name—Specifies the name of this group policy. For the Edit function, this field is read-only.
Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only
the selected protocols. The choices are as follows:
Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to
establish a secure remote-access tunnel to a ASA; requires neither a software nor hardware
client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources,
including corporate websites, web-enabled applications, NT/AD file share (web-enabled),
e-mail, and other TCP-based applications from almost any computer that can reach HTTPS
Internet sites.
SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL
VPN client.
IPsec—IP Security Protocol. Regarded as the most secure protocol, IPsec provides the most
complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and
client-to-LAN connections can use IPsec.
L2TP/IPsec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPsec transport mode.
Note If you do not select a protocol, an error message appears.
Filter—(Network (Client) Access only) Specifies which access control list to use, or whether to
inherit the value from the group policy. Filters consist of rules that determine whether to allow or
reject tunneled data packets coming through the ASA, based on criteria such as source address,
destination address, and protocol. To configure filters and rules, see the Group Policy dialog box.
Manage—Displays the ACL Manager dialog box, with which you can add, edit, and delete Access
Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the
ACL Manager, see the online Help for that dialog box.
Add AAA Server Group
The Add AAA Server Groups dialog box lets you configure a new AAA server group. It is accessed
fromAAA/Local Users > AAA Server Groups on the Remote Access VPN tab. The Accounting Mode
attribute applies only to RADIUS and TACACS+ protocols.
Fields
Server Group—Specifies the name of the server group.
Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group.
Accounting Mode—Indicates whether to use simultaneous or single accounting mode. In single
mode, the ASA sends accounting data to only one server. In simultaneous mode, the ASA sends
accounting data to all servers in the group. The Accounting Mode attribute applies only to RADIUS
and TACACS+ protocols.
Reactivation Mode—Specifies the method by which failed servers are reactivated: Depletion or
Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the
servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds
of down time.