Filter
Top Products
38-25
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 38 Configuring AAA Servers and the Local Database
Configuring AAA
–
VPN via SSL/TLS (Clientless SSL VPN) uses a web browser to establish a secure
remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client.
Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including
corporate websites, web-enabled applications, NT/AD file shares (web-enabled), e-mail, and
other TCP-based applications from almost any computer that can reach HTTPS Internet sites.
–
The SSL VPN Client lets users connect after downloading the Cisco AnyConnect Client
application. Users use a clientless SSL VPN connection to download this application the first
time. Client updates then occur automatically as needed whenever the user connects.
–
L2TP over IPsec allows remote users with VPN clients provided with several common PC and
mobile PC operating systems to establish secure connections over the public IP network to the
ASA and private corporate networks.
Note If no protocol is selected, an error message appears.
c. Specify which filter (IPv4 or IPv6) to use, or whether to inherit the value from the group policy.
Filters consist of rules that determine whether to allow or reject tunneled data packets coming
through the ASA, based on criteria such as source address, destination address, and protocol. To
configure filters and rules, choose Configuration > VPN > VPN General > Group Policy.
d. Click Manage to display the ACL Manager pane, on which you can add, edit, and delete ACLs and
ACEs.
e. Specify whether to inherit the tunnel group lock or to use the selected tunnel group lock, if any.
Selecting a specific lock restricts users to remote access through this group only. Tunnel Group Lock
restricts users by checking if the group configured in the VPN client is the same as the users assigned
group. If it is not, the ASA prevents the user from connecting. If the Inherit check box is not
checked, the default value is None.
f. Specify whether to inherit the Store Password on Client System setting from the group. Uncheck the
Inherit check box to activate the Yes and No radio buttons. Click Yes to store the login password
on the client system (potentially a less-secure option). Click No (the default) to require the user to
enter the password with each connection. For maximum security, we recommend that you not allow
password storage. This parameter has no effect on interactive hardware client authentication or
individual user authentication for a VPN 3002.
Step 3 To change Connection Settings, uncheck the Inherit check box, and enter a new value:
a. If the Inherit check box is not checked, you can select the name of an existing access hours policy,
if any, to apply to this user or create a new access hours policy. The default value is Inherit, or, if the
Inherit check box is not checked, the default value is Unrestricted.
b. Click New to open the Add Time Range dialog box, in which you can specify a new set of access
hours.
c. If the Inherit check box is not checked, the Simultaneous Logins parameter specifies the maximum
number of simultaneous logins allowed for this user. The default value is 3. The minimum value is
0, which disables login and prevents user access.
Note While there is no maximum limit, allowing several simultaneous connections could
compromise security and affect performance.