Filter
Top Products
35-22
Cisco ASDM User Guide
OL-16647-01
Chapter 35 General
ACL Manager
Add/Edit Internal Group Policy > Servers
The Add or Edit Group Policy window, Servers item lets you specify DNS and WINS servers, as well as
the DHCP scope and default domain.
Add/Edit Internal Group Policy > IPSec Client
The Add or Edit Group Policy > IPSec dialog box lets you specify tunneling protocols, filters,
connection settings, and servers for the group policy being added or modified.
Fields
• Re-Authentication on IKE Re-key—Enables or disables reauthentication when IKE re-key occurs,
unless the Inherit check box is selected. The user has 30 seconds to enter credentials, and up to three
attempts before the SA expires at approximately two minutes and the tunnel terminates.
• Enable extended reauth-on-rekey to allow entry of authentication credentials until SA
expiry—Allow users the time to reenter authentication credentials until the maximum lifetime of the
configured SA.
• IP Compression—Enables or disables IP Compression, unless the Inherit check box is selected.
• Perfect Forward Secrecy—Enables or disables perfect forward secrecy (PFS), unless the Inherit
check box is selected. PFS ensures that the key for a given IPSec SA was not derived from any other
secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the
attacker would not be able to derive any other key. If PFS were not enabled, someone could
hypothetically break the IKE SA secret key, copy all the IPSec protected data, and then use
knowledge of the IKE SA secret to compromise the IPSec SAs set up by this IKE SA. With PFS,
breaking IKE would not give an attacker immediate access to IPSec. The attacker would have to
break each IPSec SA individually.
• Store Password on Client System—Enables or disables storing the password on the client system.
Note Storing the password on a client system can constitute a potential security risk.
• IPSec over UDP—Enables or disables using IPSec over UDP.
• IPSec over UDP Port—Specifies the UDP port to use for IPSec over UDP.
• Tunnel Group Lock—Enables locking the tunnel group you select from the list, unless the Inherit
check box or the value None is selected.
• IPSec Backup Servers—Activates the Server Configuration and Server IP Addresses fields, so you
can specify the UDP backup servers to use if these values are not inherited.
–
Server Configuration—Lists the server configuration options to use as an IPSec backup server.
The available options are: Keep Client Configuration (the default), Use the Backup Servers
Below, and Clear Client Configuration.
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——