12-11
ASDM User Guide
OL-12180-01
Chapter 12 Configuring AAA Servers and User Accounts
Configuring the Local Database
L2TP over IPSec—Allows remote users with VPN clients provided with several common PC and
mobile PC operating systems to establish secure connections over the public IP network to the
security appliance and private corporate networks.
Note If no protocol is selected, an error message appears.
• Filter—Specifies what filter to use, or whether to inherit the value from the group policy. Filters
consist of rules that determine whether to allow or reject tunneled data packets coming through the
security appliance, based on criteria such as source address, destination address, and protocol. To
configure filters and rules, see the Configuration > VPN > VPN General > Group Policy pane.
• Manage—Displays the ACL Manager pane, on which you can add, edit, and delete Access Control
Lists (ACLs) and Extended Access Control Lists (ACEs).
• Tunnel Group Lock—Specifies whether to inherit the tunnel group lock or to use the selected tunnel
group lock, if any. Selecting a specific lock restricts users to remote access through this group only.
Tunnel Group Lock restricts users by checking if the group configured in the VPN client is the same
as the user’s assigned group. If it is not, the security appliance prevents the user from connecting. If
the Inherit check box is not selected, the default value is --None--.
• Store Password on Client System—Specifies whether to inherit this setting from the group.
Deselecting the Inherit check box activates the Yes and No radio buttons. Selecting Yes stores the
login password on the client system (potentially a less-secure option). Selecting No (the default)
requires the user to enter the password with each connection. For maximum security, we recommend
that you not do allow password storage. This parameter has no bearing on interactive hardware client
authentication or individual user authentication for a VPN 3002.
• Connection Settings—Specifies the connection settings parameters.
–
Access Hours—If the Inherit check box is not selected, you can select the name of an existing
access hours policy, if any, applied to this user or create a new access hours policy. The default
value is Inherit, or, if the Inherit check box is not selected, the default value is --Unrestricted--.
–
New—Opens the Add Time Range dialog box, on which you can specify a new set of access
hours.
–
Simultaneous Logins—If the Inherit check box is not selected, this parameter specifies the
maximum number of simultaneous logins allowed for this user. The default value is 3. The
minimum value is 0, which disables login and prevents user access.
Note While there is no maximum limit, allowing several simultaneous connections could
compromise security and affect performance.
–
Maximum Connect Time—If the Inherit check box is not selected, this parameter specifies the
maximum user connection time in minutes. At the end of this time, the system terminates the
connection. The minimum is 1 minute, and the maximum is 2147483647 minutes (over 4000
years). To allow unlimited connection time, select the Unlimited check box (the default).
–
Idle Timeout—If the Inherit check box is not selected, this parameter specifies this user’s idle
timeout period in minutes. If there is no communication activity on the user’s connection in this
period, the system terminates the connection. The minimum time is 1 minute, and the maximum
time is 10080 minutes. This value does not apply to users of clientless SSL VPN connections.
• Dedicated IP Address (Optional)—
–
IP Address box—Specifies the optional Dedicated IP address.