Filter
Top Products
CHAPTER
68-1
Cisco ASA 5500 Series Configuration Guide using ASDM
68
Configuring IKE, Load Balancing, and NAC
IKE, also called ISAKMP, is the negotiation protocol that lets two hosts agree on how to build an IPsec
security association. To configure the ASA for virtual private networks, you set global IKE parameters
that apply system wide, and you also create IKE policies that the peers negotiate to establish a VPN
connection.
Load balancing distributes VPN traffic among two or more ASAs in a VPN cluster.
Network Access Control (NAC) protects the enterprise network from intrusion and infection from
worms, viruses, and rogue applications by performing endpoint compliance and vulnerability checks as
a condition for production access to the network. We refer to these checks as posture validation.
This chapter describes how to configure IKE, load balancing, and NAC. It includes the following
sections:
• Setting IKE Parameters, page 68-1
• Creating IKE Policies, page 68-5
• Configuring IPsec, page 68-11
• Configuring Load Balancing, page 68-23
• Setting Global NAC Parameters, page 68-29
• Configuring Network Admission Control Policies, page 68-30
Setting IKE Parameters
This pane lets you set system wide values for VPN connections. The following sections describe each of
the options.
Enabling IKE on Interfaces
You must enable IKE for each interface that you want to use for VPN connections.
Enabling IPsec over NAT-T
NAT-T lets IPsec peers establish both remote access and LAN-to-LAN connections through a NAT
device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby providing
NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec
traffic when necessary. This feature is disabled by default.
• The ASA can simultaneously support standard IPsec, IPsec over TCP, NAT-T, and IPsec over UDP,
depending on the client with which it is exchanging data.