Filter
Top Products
14-21
Cisco ASDM User Guide
OL-16647-01
Chapter 14 Configuring AAA Servers and the Local Database
Adding a User Account
–
IPSec—IP Security Protocol. IPSec provides the most complete architecture for VPN tunnels,
and it is perceived as the most secure protocol. Both LAN-to-LAN (peer-to-peer) connections
and client-to-LAN connections can use IPSec.
–
Clientless SSL VPN—VPN via SSL/TLS. Uses a web browser to establish a secure
remote-access tunnel to a VPN Concentrator; requires neither a software nor hardware client.
Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including
corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and
other TCP-based applications from almost any computer that can reach HTTPS Internet sites.
–
SSL VPN Client—Lets users connect after downloading the Cisco AnyConnect Client
application. Users use a clientless SSL VPN connection to download this application the first
time. Client updates then occur automatically as needed whenever the user connects.
–
L2TP over IPSec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network to
the security appliance and private corporate networks.
Note If no protocol is selected, an error message appears.
• Filter—Specifies what filter to use, or whether to inherit the value from the group policy. Filters
consist of rules that determine whether to allow or reject tunneled data packets coming through the
security appliance, based on criteria such as source address, destination address, and protocol. To
configure filters and rules, see the Configuration > VPN > VPN General > Group Policy pane.
• Manage—Displays the ACL Manager pane, on which you can add, edit, and delete Access Control
Lists (ACLs) and Extended Access Control Lists (ACEs).
• Tunnel Group Lock—Specifies whether to inherit the tunnel group lock or to use the selected tunnel
group lock, if any. Selecting a specific lock restricts users to remote access through this group only.
Tunnel Group Lock restricts users by checking if the group configured in the VPN client is the same
as the user’s assigned group. If it is not, the security appliance prevents the user from connecting. If
the Inherit check box is not selected, the default value is --None--.
• Store Password on Client System—Specifies whether to inherit this setting from the group.
Deselecting the Inherit check box activates the Yes and No radio buttons. Selecting Yes stores the
login password on the client system (potentially a less-secure option). Selecting No (the default)
requires the user to enter the password with each connection. For maximum security, we recommend
that you not do allow password storage. This parameter has no bearing on interactive hardware client
authentication or individual user authentication for a VPN 3002.
Step 3 To change Connection Settings, uncheck Inherit, and fill in a new value:
• Access Hours—If the Inherit check box is not selected, you can select the name of an existing access
hours policy, if any, applied to this user or create a new access hours policy. The default value is
Inherit, or, if the Inherit check box is not selected, the default value is --Unrestricted--.
• New—Opens the Add Time Range dialog box, on which you can specify a new set of access hours.
• Simultaneous Logins—If the Inherit check box is not selected, this parameter specifies the
maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum
value is 0, which disables login and prevents user access.
Note While there is no maximum limit, allowing several simultaneous connections could
compromise security and affect performance.