Cisco ASDM User Guide, 6.1
General VPN Setup
Download this chapter
General VPN SetupGeneral VPN Setup
Download the complete book
Full-Book PDF: Cisco ASDM User Guide, 6.1Full-Book PDF: Cisco ASDM User Guide, 6.1 (PDF - 13 MB)
give_us_feedback

Table Of Contents

General

Client Software

Edit Client Update Entry

Default Tunnel Gateway

Group Policies

Add/Edit External Group Policy

Add AAA Server Group

Adding or Editing a Remote Access Internal Group Policy, General Attributes

Configuring the Portal for a Group Policy

Configuring Customization for a Group Policy

Adding or Editing a Site-to-Site Internal Group Policy

Browse Time Range

Add/Edit Time Range

Add/Edit Recurring Time Range

ACL Manager

Standard ACL

Extended ACL

Add/Edit/Paste ACE

Browse Source/Destination Address

Browse Source/Destination Port

Add TCP Service Group

Browse ICMP

Add ICMP Group

Browse Other

Add Protocol Group

Add/Edit Internal Group Policy > Servers

Add/Edit Internal Group Policy > IPSec Client

Client Access Rules

Add/Edit Client Access Rule

Add/Edit Internal Group Policy > Client Configuration Tab

Add/Edit Internal Group Policy > Client Configuration Tab > General Client Parameters Tab

View/Config Banner

Add/Edit Internal Group Policy > Client Configuration Tab > Cisco Client Parameters Tab

Add or Edit Internal Group Policy > Advanced > IE Browser Proxy

Add/Edit Standard Access List Rule

Add/Edit Internal Group Policy > Client Firewall Tab

Add/Edit Internal Group Policy > Hardware Client Tab

Add/Edit Server and URL List

Add/Edit Server or URL

Configuring SSL VPN Connections

Setting the Basic Attributes for an SSL VPN Connection

Setting Advanced Attributes for an IPSec or SSL VPN Connection

Setting General Attributes for an IPSec or SSL VPN Connection

Configuring SSL VPN Client Connections

ACLs

Configuring Clientless SSL VPN Connections

Add or Edit Clientless SSL VPN Connections

Add or Edit Clientless SSL VPN Connections > Basic

Add or Edit Clientless SSL VPN Connections > Advanced

Add or Edit Clientless SSL VPN Connections > Advanced > General

Add or Edit Clientless SSL VPN Connection Profile or IPSec Connection Profiles> Advanced > Authentication

Assign Authentication Server Group to Interface

Add or Edit SSL VPN Connections > Advanced > Authorization

Assign Authorization Server Group to Interface

Add or Edit SSL VPN Connections > Advanced > SSL VPN

Add or Edit Clientless SSL VPN Connections > Advanced > SSL VPN

Add or Edit Clientless SSL VPN Connections > Advanced > Name Servers

Configure DNS Server Groups

Add or Edit Clientless SSL VPN Connections > Advanced > Clientless SSL VPN

IPSec Remote Access Connection Profiles

Add or Edit an IPSec Remote Access Connection Profile

Add or Edit IPSec Remote Access Connection Profile Basic

Mapping Certificates to IPSec or SSL VPN Connection Profiles

Configure Site-to-Site Tunnel Groups

Add/Edit Site-to-Site Connection

Adding or Editing a Site-to-Site Tunnel Group

Crypto Map Entry

Crypto Map Entry for Static Peer Address

Managing CA Certificates

Install Certificate

Configure Options for CA Certificate

Revocation Check Tab

Add/Edit Remote Access Connections > Advanced > General

Configuring Client Addressing

Add/Edit Tunnel Group > General Tab > Authentication

Add/Edit SSL VPN Connection > General > Authorization

Add/Edit SSL VPN Connections > Advanced > Accounting

Add/Edit Tunnel Group > General > Client Address Assignment

Add/Edit Tunnel Group > General > Advanced

Add/Edit Tunnel Group > IPSec for Remote Access > IPSec

Add/Edit Tunnel Group for Site-to-Site VPN

Add/Edit Tunnel Group > PPP

Add/Edit Tunnel Group > IPSec for LAN to LAN Access > General > Basic

Add/Edit Tunnel Group > IPSec for LAN to LAN Access > IPSec

Add/Edit Tunnel Group > Clientless SSL VPN Access > General > Basic

Add/Edit Tunnel Group > Clientless SSL VPN > Basic

Configuring Internal Group Policy IPSec Client Attributes

Configuring Client Addressing for SSL VPN Connections

Assign Address Pools to Interface

Select Address Pools

Add or Edit an IP Address Pool

Authenticating SSL VPN Connections

System Options

Configuring SSL VPN Connections, Advanced

Configuring Split Tunneling

Zone Labs Integrity Server

Easy VPN Remote

Advanced Easy VPN Properties


General

A virtual private network is a network of virtual circuits that carry private traffic over a public network such as the Internet. VPNs can connect two or more LANS, or remote users to a LAN. VPNs provide privacy and security by requiring all users to authenticate and by encrypting all data traffic.

Client Software

The Client Software pane lets administrators at a central location do the following actions:

Enable client update; specify the types and revision numbers of clients to which the update applies.

Provide a URL or IP address from which to get the update.

In the case of Windows clients, optionally notify users that they should update their VPN client version.

Note The Client Update function at Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > Upload Software > Client Software applies only to the IPSec VPN client, (For Windows, MAC OS X, and Linux), and the VPN 3002 hardware client. It does not apply to the Cisco AnyConnect VPN clients, which is updated by the security appliance automatically when it connects.

For the IPSec VPN client, you can provide a mechanism for users to accomplish that update. For VPN 3002 hardware client users, the update occurs automatically, with no notification. You can apply client updates only to the IPSec remote-access tunnel-group type.

Note If you try to do a client update to an IPSec Site-to-Site IPSec connection or a Clientless VPN IPSec connection, you do not receive an error message, but no update notification or client update goes to those types of IPSec connections.

To enable client update globally for all clients of a particular client type, use this window. You can also notify all Windows, MAC OS X, and Linux clients that an upgrade is needed and initiate an upgrade on all VPN 3002 hardware clients from this window. To configure the client revisions to which the update applies and the URL or IP address from which to download the update, click Edit.

To configure client update revisions and software update sources for a specific tunnel group, see Configuration > Remote Access VPN > Network (Client) Access > IPSec > Add/Edit > Advanced > IPSec > Client Software Update.

Fields

Enable Client Update—Enables or disables client update, both globally and for specific tunnel groups. You must enable client update before you can send a client update notification to Windows, MAC OS X, and Linux VPN clients, or initiate an automatic update to hardware clients.

Client Type—Lists the clients to upgrade: software or hardware, and for Windows software clients, all Windows or a subset. If you click All Windows Based, do not specify Windows 95, 98 or ME and Windows NT, 2000 or XP individually. The hardware client gets updated with a release of the ASA 5505 software or of the VPN 3002 hardware client.

VPN Client Revisions—Contains a comma-separated list of software image revisions appropriate for this client. If the user's client revision number matches one of the specified revision numbers, there is no need to update the client, and, for Windows-based clients, the user does not receive an update notification. The following caveats apply:

The revision list must include the software version for this update.

Your entries must match exactly those on the URL for the VPN client, or the TFTP server for the hardware client.

The TFTP server for distributing the hardware client image must be a robust TFTP server.

A VPN client user must download an appropriate software version from the listed URL.

The VPN 3002 hardware client software is automatically updated via TFTP, with no notification to the user.

Image URL—Contains the URL or IP address from which to download the software image. This URL must point to a file appropriate for this client. For Windows, MAC OS X, and Linux-based clients, the URL must be in the form: http:// or https://. For hardware clients, the URL must be in the form tftp://.

For Windows, MAC OS X, and Linux-based VPN clients: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for HTTP or 443 for HTTPS.

For the hardware client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin

Edit—Opens the Edit Client Update Entry dialog box, which lets you configure or change client update parameters. See Edit Client Update Entry.

Live Client Update—Sends an upgrade notification message to all currently connected VPN clients or selected tunnel group(s).

Tunnel Group—Selects all or specific tunnel group(s) for updating.

Update Now—Immediately sends an upgrade notification containing a URL specifying where to retrieve the updated software to the currently connected VPN clients in the selected tunnel group or all connected tunnel groups. The message includes the location from which to download the new version of software. The administrator for that VPN client can then retrieve the new software version and update the VPN client software.

For VPN 3002 hardware clients, the upgrade proceeds automatically, with no notification.

You must check Enable Client Update in the window for the upgrade to work. Clients that are not connected receive the upgrade notification or automatically upgrade the next time they log on.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit Client Update Entry

The Edit Client Update dialog box lets you change information about VPN client revisions and URLs for the indicated client types. The clients must be running one of the revisions specified for the indicated client type. If not, the clients are notified that an upgrade is required.

Fields

Client Type—(Display-only) Displays the client type selected for editing.

VPN Client Revisions—Lets you type a comma-separated list of software or firmware images appropriate for this client. If the user's client revision number matches one of the specified revision numbers, there is no need to update the client. If the client is not running a software version on the list, an update is in order. The user of a Windows, MAC OS X, or Linux-based VPN client must download an appropriate software version from the listed URL. The VPN 3002 hardware client software is automatically updated via TFTP.

Image URL—Lets you type the URL for the software/firmware image. This URL must point to a file appropriate for this client.

For a Windows, MAC OS X, or Linux-based VPN client, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example: 

http://10.10.99.70/vpnclient-win-4.6.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for HTTP or 443 for HTTPS.

For the hardware client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.1.1.1/vpn3002-4.1.Rel-k9.bin

The directory is optional.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Default Tunnel Gateway

To configure the default tunnel gateway, click the Static Route link in this window. The Configuration > Routing > Routing > Static Route window opens.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Group Policies

The Group Policies window lets you manage VPN group policies. A VPN group policy is a collection of user-oriented attribute/value pairs stored either internally on the device or externally on a RADIUS or LDAP server. Configuring the VPN group policy lets users inherit attributes that you have not configured at the individual group or username level. By default, VPN users have no group policy association. The group policy information is used by VPN tunnel groups and user accounts.

The "child" windows and dialog boxes let you configure the group parameters, including those for the default group. The default group parameters are those that are most likely to be common across all groups and users, and they streamline the configuration task. Groups can "inherit" parameters from this default group, and users can "inherit" parameters from their group or the default group. You can override these parameters as you configure groups and users.

You can configure either an internal or an external group policy. An internal group policy is stored locally, and an external group policy is stored externally on a RADIUS or LDAP server.Clicking Edit opens a similar dialog box on which you can create a new group policy or modify an existing one.

In these dialog boxes, you configure the following kinds of parameters:

General attributes: Name, banner, address pools, protocols, filtering, and connection settings.

Servers: DNS and WINS servers, DHCP scope, and default domain name.

Advanced attributes: Split tunneling, IE browser proxy, SSL VPN Client and AnyConnect Client, and IPSec Client.

Before configuring these parameters, you should configure:

Access hours.

Rules and filters.

IPSec Security Associations.

Network lists for filtering and split tunneling

User authentication servers, and specifically the internal authentication server.

Fields

Group Policy—Lists the currently configured group policies and Add, Edit, and Delete buttons to help you manage VPN group policies.

Name—Lists the name of the currently configured group policies.

Type—Lists the type of each currently configured group policy.

Tunneling Protocol—Lists the tunneling protocol that each currently configured group policy uses.

AAA Server Group—Lists the AAA server group, if any, to which each currently configured group policy pertains.

Add—Offers a drop-down menu on which you can select whether to add an internal or an external group policy. If you simply click Add, then by default, you create an internal group policy. Clicking Add opens the Add Internal Group Policy dialog box or the Add External Group Policy dialog box, which let you add a new group policy to the list. This dialog box includes three menu sections. Click each menu item to display its parameters. As you move from item to item, ASDM retains your settings. When you have finished setting parameters on all menu sections, click Apply or Cancel.Offers a drop-down menu on which you can select whether to add an internal or an external group policy. If you simply click Add, then by default, you create an internal group policy.

Edit—Displays the Edit Group Policy dialog box, which lets you modify an existing group policy.

Delete—Lets you remove a AAA group policy from the list. There is no confirmation or undo.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit External Group Policy

The Add or Edit External Group Policy dialog box lets you configure an external group policy.

Fields

Name—Identifies the group policy to be added or changed. For Edit External Group Policy, this field is display-only.

Server Group—Lists the available server groups to which to apply this policy.

Password—Specifies the password for this server group policy.

New—Opens a dialog box that lets you select whether to create a new RADIUS server group or a new LDAP server group. Either of these options opens the Add AAA Server Group dialog box.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add AAA Server Group

The Add AAA Server Group dialog box lets you configure a new AAA server group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

Fields

Server Group—Specifies the name of the server group.

Protocol—(Display only) Indicates whether this is a RADIUS or an LDAP server group.

Accounting Mode—Indicates whether to use simultaneous or single accounting mode. In single mode, the security appliance sends accounting data to only one server. In simultaneous mode, the security appliance sends accounting data to all servers in the group. The Accounting Mode attribute applies only to RADIUS and TACACS+ protocols.

Reactivation Mode—Specifies the method by which failed servers are reactivated: Depletion or Timed reactivation mode. In Depletion mode, failed servers are reactivated only after all of the servers in the group become inactive. In Timed mode, failed servers are reactivated after 30 seconds of down time.

Dead Time—Specifies, for depletion mode, the number of minutes (0 through 1440) that must elapse between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default value is 10 minutes. This field is not available for timed mode.

Max Failed Attempts— Specifies the number (an integer in the range 1 through 5) of failed connection attempts allowed before declaring a nonresponsive server inactive. The default value is 3 attempts.

Adding or Editing a Remote Access Internal Group Policy, General Attributes

The Add or Edit Group Policy window lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Inherit is the default value for all of the attributes on this dialog box.

Fields

The following attributes appear in the Add Internal Group Policy > General window. They apply to SSL VPN and IPSec sessions, or clientless SSL VPN sessions. Thus, several are present for one type of session, but not the other.

Name—Specifies the name of this group policy. For the Edit function, this field is read-only.

Banner—Specifies the banner text to present to users at login. The length can be up to 491 characters. There is no default value.

Address Pools—(Network (Client) Access only) Specifies the name of one or more address pools to use for this group policy.

Select—(Network (Client) Access only) Opens the Select Address Pools window, which shows the pool name, starting and ending addresses, and subnet mask of address pools available for client address assignment and lets you select, add, edit, delete, and assign entries from that list.

More Options—Displays additional configurable options for this group policy.

Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only the selected protocols. The choices are as follows:

Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to establish a secure remote-access tunnel to a security appliance; requires neither a software nor hardware client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.

SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL VPN client.

IPSec—IP Security Protocol. Regarded as the most secure protocol, IPSec provides the most complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and client-to-LAN connections can use IPSec.

L2TP over IPSec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPSec transport mode.

Note If you do not select a protocol, an error message appears.

Filter—(Network (Client) Access only) Specifies which access control list to use, or whether to inherit the value from the group policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. To configure filters and rules, see the Group Policy window.

Web ACL—(Clientless SSL VPN only) Select an access control list (ACL) from the drop-down list if you want to filter traffic. Click Manage next to the list if you want to view, modify, add, or remove ACLs before making a selection.

Manage—Displays the ACL Manager window, with which you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the ACL Manager, see the online Help for that window.

NAC Policy—Selects the name of a Network Admission Control policy to apply to this group policy. You can assign an optional NAC policy to each group policy. The default value is --None--.

Manage—Opens the Configure NAC Policy dialog box. After configuring one or more NAC policies, the NAC policy names appear as options in the drop-down list next to the NAC Policy attribute.

Access Hours—Selects the name of an existing access hours policy, if any, applied to this user or create a new access hours policy. The default value is Inherit, or, if the Inherit check box is not selected, the default value is --Unrestricted--.

Manage—Opens the Browse Time Range dialog box, on which you can add, edit, or delete a time range.

Simultaneous Logins—Specifies the maximum number of simultaneous logins allowed for this user. The default value is 3. The minimum value is 0, which disables login and prevents user access.

Note While there is no maximum limit, allowing several simultaneous connections might compromise security and affect performance.

Restrict Access to VLAN—(Optional) Also called "VLAN mapping," this parameter specifies the egress VLAN interface for sessions to which this group policy applies. The security appliance forwards all traffic on this group to the selected VLAN. Use this attribute to assign a VLAN to the group policy to simplify access control. Assigning a value to this attribute is an alternative to using ACLs to filter traffic on a session. In addition to the default value (Unrestricted), the drop-down list shows only the VLANs that are configured on this security appliance.

Note This feature works for HTTP connections, but not for FTP and CIFS.

Maximum Connect Time—If the Inherit check box is not selected, this parameter specifies the maximum user connection time in minutes. At the end of this time, the system terminates the connection. The minimum is 1 minute, and the maximum is 35791394 minutes (over 4000 years). To allow unlimited connection time, select Unlimited (the default).

Idle Timeout—If the Inherit check box is not selected, this parameter specifies this user's idle timeout period in minutes. If there is no communication activity on the user's connection in this period, the system terminates the connection. The minimum time is 1 minute, and the maximum time is 10080 minutes. The default is 30 minutes. To allow unlimited connection time, select Unlimited. This value does not apply to Clientless SSL VPN users.

On smart card removal—With the default option, Disconnect, the client tears down the connection if the smart card used for authentication is removed. Click Keep the connection if you do not want to require users to keep their smart cards in the computer for the duration of the connection.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring the Portal for a Group Policy

The Portal attributes determine what appears on the portal page for members of this group policy establishing Clientless SSL VPN connections. On this pane, you can enable Bookmark lists and URL Entry, file server access, Port Forwarding and Smart Tunnels, ActiveX Relay, and HTTP settings.

Fields

Bookmark List—Select a previously-configured Bookmark list or click Manage to create a new one. Bookmarks appear as links, from which users can navigate from the portal page.

URL Entry—Enable to allow remote users to enter URLs directly into the portal URL field.

File Access Control—Controls the visibility of "hidden shares" for Common Internet File System (CIFS) files. A hidden share is identified by a dollar sign ($) at the end of the share name. For example, drive C is shared as C$. With hidden shares, a shared folder is not displayed, and users are restricted from browsing or accessing these hidden resources.

File Server Entry—Enable to allow remote users to enter the name of a file server.

File Server Browsing—Enable to allow remote users to browse for available file servers.

Hidden Share Access—Enable to hide shared folders.

Port Forwarding Control—Provides users access to TCP-based applications over a Clientless SSL VPN connection through a Java Applet.

Port Forwarding List—Select a previously-configured list TCP applications to associate with this group policy. Click Manage to create a new list or to edit an existing list.

Auto Applet Download—Enables automatic installation and starting of the Applet the first time the user logs in.

Applet Name—Changes the name of the title bar that of the Applet window to the name you designate. By default, the name is Application Access.

Smart Tunnel—Connects a Winsock 2, TCP-based application installed on the end station to a server on the intranet, using a clientless (browser-based) SSL VPN session with the security appliance as the pathway, and the security appliance as a proxy server.

Smart Tunnel List—Select the list name from the drop-down menu if you want to provide smart tunnel access. Assigning a smart tunnel list to a group policy or username enables smart tunnel access for all users whose sessions are associated with the group policy or username, but restricts smart tunnel access to the applications specified in the list. To view, add, modify, or delete a smart tunnel list, click the adjacent Manage button.

Auto Start (Smart Tunnel List)—Check to start smart tunnel access automatically upon user login. Uncheck to enable smart tunnel access upon user login, but require the user to start it manually, using the Application Access > Start Smart Tunnels button on the Clientless SSL VPN Portal Page.

Auto Sign-on Server List—Select the list name from the drop-down menu if you want to reissue the user credentials when the user establishes a smart tunnel connection to a server. Each smart tunnel auto sign-on list entry identifies a server with which to automate the submission of user credentials. To view, add, modify, or delete a smart tunnel auto sign-on list, click the adjacent Manage button.

Domain Name (Optional)—Specify the Windows domain to add it to the username during auto sign-on, if the universal naming convention (domain\username) is required for authentication. For example, enter CISCO to specify CISCO\jsmith when authenticating for the username jsmith. You must also check the "Use Windows domain name with user name" option when configuring associated entries in the auto sign-on server list.

ActiveX Relay—Lets Clientless users launch Microsoft Office applications from the browser. The applications use the session to download and upload Microsoft Office documents. The ActiveX relay remains in force until the Clientless SSL VPN session closes.

More Options:

HTTP Proxy—Enables or disables the forwarding of an HTTP applet proxy to the client. The proxy is useful for technologies that interfere with proper content transformation, such as Java, ActiveX, and Flash. It bypasses mangling while ensuring the continued use of the security appliance. The forwarded proxy modifies the browser's old proxy configuration automatically and redirects all HTTP and HTTPS requests to the new proxy configuration. It supports virtually all client side technologies, including HTML, CSS, JavaScript, VBScript, ActiveX, and Java. The only browser it supports is Microsoft Internet Explorer.

Auto Start (HTTP Proxy)—Check to enable HTTP Proxy automatically upon user login. Uncheck to enable smart tunnel access upon user login, but require the user to start it manually.

HTTP Compression—Enables compression of HTTP data over the Clientless SSL VPN session.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Customization for a Group Policy

To configure customization for a group policy, select a preconfigured portal customization object, or accept the customization provided in the default group policy. You can also configure a URL to display

Fields

Portal Customization—Configure a customization object for the end user portal.

Inherit—To inherit a portal customization from the default group policy, click Inherit. To specify a previously configured customization object, deselect Inherit and choose the customization object from the drop-down list.

Manage—Click to import a new customization object.

Homepage URL (optional)— To specify a homepage URL for users associated with the group policy, enter it in this field. To inherit a home page from the default group policy, click Inherit.

Access Deny Message—To create a message to users for whom access is denied, enter it in this field. To accept the message in the default group policy, click Inherit.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Adding or Editing a Site-to-Site Internal Group Policy

The Add or Edit Group Policy window lets you specify tunneling protocols, filters, connection settings, and servers for the group policy being added or modified. For each of the fields on this window, checking the Inherit check box lets the corresponding setting take its value from the default group policy. Inherit is the default value for all of the attributes on this dialog box.

Fields

The following attributes appear in the Add Internal Group Policy > General window. They apply to SSL VPN and IPSec sessions, or clientless SSL VPN sessions. Thus, several are present for one type of session, but not the other.

Name—Specifies the name of this group policy. For the Edit function, this field is read-only.

Tunneling Protocols—Specifies the tunneling protocols that this group can use. Users can use only the selected protocols. The choices are as follows:

Clientless SSL VPN—Specifies the use of VPN via SSL/TLS, which uses a web browser to establish a secure remote-access tunnel to a security appliance; requires neither a software nor hardware client. Clientless SSL VPN can provide easy access to a broad range of enterprise resources, including corporate websites, web-enabled applications, NT/AD file share (web-enabled), e-mail, and other TCP-based applications from almost any computer that can reach HTTPS Internet sites.

SSL VPN Client—Specifies the use of the Cisco AnyConnect VPN client or the legacy SSL VPN client.

IPSec—IP Security Protocol. Regarded as the most secure protocol, IPSec provides the most complete architecture for VPN tunnels. Both Site-to-Site (peer-to-peer) connections and client-to-LAN connections can use IPSec.

L2TP/IPSec—Allows remote users with VPN clients provided with several common PC
and mobile PC operating systems to establish secure connections over the public IP network
to the security appliance and private corporate networks. L2TP uses PPP over UDP (port 1701)
to tunnel the data. The security appliance must be configured for IPSec transport mode.

Note If you do not select a protocol, an error message appears.

Filter—(Network (Client) Access only) Specifies which access control list to use, or whether to inherit the value from the group policy. Filters consist of rules that determine whether to allow or reject tunneled data packets coming through the security appliance, based on criteria such as source address, destination address, and protocol. To configure filters and rules, see the Group Policy window.

Manage—Displays the ACL Manager window, with which you can add, edit, and delete Access Control Lists (ACLs) and Extended Access Control Lists (ACEs). For more information about the ACL Manager, see the online Help for that window.

Browse Time Range

Use the Browse Time Range dialog box to add, edit, or delete a time range. A time range is a reusable component that defines starting and ending times that can be applied to a group policy. After defining a time range, you can select the time range and apply it to different options that require scheduling. For example, you can attach an access list to a time range to restrict access to the security appliance. A time range consists of a start time, an end time, and optional recurring (that is, periodic) entries. For more information about time ranges, see the online Help for the Add or Edit Time Range dialog box.

Fields

Add—Opens the Add Time Range dialog box, on which you can create a new time range.

Note Creating a time range does not restrict access to the device.

Edit—Opens the Edit Time Range dialog box, on which you can modify an existing time range. This button is active only when you have selected an existing time range from the Browse Time Range table.

Delete—Removes a selected time range from the Browse Time Range table. There is no confirmation or undo of this action.

Name—Specifies the name of the time range.

Start Time—Specifies when the time range begins.

End Time—Specifies when the time range ends.

Recurring Entries—Specifies further constraints of active time of the range within the start and stop time specified.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Time Range

The Add or Edit Time Range dialog box lets you configure a new time range.

Fields

Time Range Name—Specifies the name that you want to assign to this time range.

Start Time—Defines the time when you want the time range to start.

Start now—Specifies that the time range starts immediately.

Start at—Selects the month, day, year, hour, and minute at which you want the time range to start.

End Time—Defines the time when you want the time range to end.

Never end—Specifies that the time range has no defined end point.

End at (inclusive)—Selects the month, day, year, hour, and minute at which you want the time range to end.

Recurring Time Ranges—Constrains the active time of this time range within the start and end times when the time range is active. For example, if the start time is start now and the end time is never end, and you want the time range to be effective every weekday, Monday through Friday, from 8:00 AM to 5:00 PM, you could configure a recurring time range, specifying that it is to be active weekdays from 08:00 through 17:00, inclusive.

Add—Opens the Add Recurring Time Range dialog box, on which you can configure a recurring time range.

Edit—Opens the Edit Recurring Time Range dialog box, on which you can modify a selected recurring time range.

Delete—Removes a selected recurring time range.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Recurring Time Range

The Add or Edit Recurring Time Range dialog box lets you configure or modify a recurring time range.

Fields

Specify days of the week and times on which this recurring range will be active—Makes available the options in the Days of the week area. For example, use this option when you want the time range to be active only every Monday through Thursday, from 08:00 through 16:59.

Days of the week—Select the days that you want to include in this recurring time range. Possible options are: Every day, Weekdays, Weekends, and On these days of the week. For the last of these, you can select a check box for each day that you want included in the range.

Daily Start Time—Specifies the hour and minute, in 24-hour format, when you want the recurring time range to be active on each selected day.

Daily End Time (inclusive)—Specifies the hour and minute, in 24-hour format, when you want the recurring time range to end on each selected day.

Specify a weekly interval when this recurring range will be active—Makes available the options in the Weekly Interval area. The range extends inclusively through the end time. All times in this area are in 24-hour format. For example, use this option when you want the time range to be active continuously from Monday at 8:00 AM through Friday at 4:30 PM.

From—Selects the day, hour, and minute when you want the weekly time range to start.

Through—Selects the day, hour, and minute when you want the weekly time range to end.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


ACL Manager

The ACL Manager dialog box lets you define access control lists (ACLs) to control the access of a specific host or network to another host/network, including the protocol or port that can be used.

You can configure ACLs (Access Control Lists) to apply to user sessions. These are filters that permit or deny user access to specific networks, subnets, hosts, and web servers.

If you do not define any filters, all connections are permitted.

The security appliance supports only an inbound ACL on an interface.

At the end of each ACL, there is an implicit, unwritten rule that denies all traffic that is not permitted. If traffic is not explicitly permitted by an access control entry (ACE), the security appliance denies it. ACEs are referred to as rules in this topic.

Standard ACL

This pane provides summary information about standard ACLs, and lets you add or edit ACLs and ACEs.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Edit—Opens the Edit ACE dialog box, on which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, on which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Address—Displays the IP address or URL of the application or service to which the ACE applies.

Action—Specifies whether this filter permits or denies traffic flow.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Extended ACL

This pane provides summary information about extended ACLs, and lets you add or edit ACLs and ACEs.

Fields

Add—Lets you add a new ACL. When you highlight an existing ACL, it lets you add a new ACE for that ACL.

Edit—Opens the Edit ACE dialog box, on which you can change an existing access control list rule.

Delete—Removes an ACL or ACE. There is no confirmation or undo.

Move Up/Move Down—Changes the position of a rule in the ACL Manager table.

Cut—Removes the selection from the ACL Manager table and places it on the clipboard.

Copy—Places a copy of the selection on the clipboard.

Paste—Opens the Paste ACE dialog box, on which you can create a new ACL rule from an existing rule.

No—Indicates the order of evaluation for the rule. Implicit rules are not numbered, but are represented by a hyphen.

Enabled—Enables or disables a rule. Implicit rules cannot be disabled.

Source—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Destination column. In detail mode (see the Show Detail radio button), an address column might contain an interface name with the word any, such as inside: any. This means that any host on the inside interface is affected by the rule.

Destination—Specifies the IP addresses (Host/Network) that are permitted or denied to send traffic to the IP addresses listed in the Source column. An address column might contain an interface name with the word any, such as outside: any. This means that any host on the outside interface is affected by the rule. An address column might also contain IP addresses; for example 209.165.201.1-209.165.201.30. These addresses are translated addresses. When an inside host makes a connection to an outside host, the firewall maps the address of the inside host to an address from the pool. After a host creates an outbound connection, the firewall maintains this address mapping. The address mapping structure is called an xlate, and remains in memory for a period of time. During this time, outside hosts can initiate connections to the inside host using the translated address from the pool, if allowed by the ACL. Normally, outside-to-inside connections require a static translation so that the inside host always uses the same IP address.

Service—Names the service and protocol specified by the rule.

Action—Specifies whether this filter permits or denies traffic flow.

Logging —Shows the logging level and the interval in seconds between log messages (if you enable logging for the ACL). To set logging options, including enabling and disabling logging, right-click this column, and choose Edit Log Option. The Log Options window appears.

Time—Specifies the name of the time range to be applied in this rule.

Description—Shows the description you typed when you added the rule. An implicit rule includes the following description: "Implicit outbound rule."

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit/Paste ACE

The Add/Edit/Paste ACE dialog box lets you create a new extended access list rule, or modify an existing rule. The Paste option becomes available only when you cut or copy a rule.

Fields

Action—Determines the action type of the new rule. Select either permit or deny.

Permit—Permits all matching traffic.

Deny—Denies all matching traffic.

Source/Destination—Specifies the source or destination type and, depending on that type, the other relevant parameters describing the source or destination host/network IP Address. Possible values are: any, IP address, Network Object Group, and Interface IP. The availability of subsequent fields depends upon the value of the Type field:

any—Specifies that the source or destination host/network can be any type. For this value of the Type field, there are no additional fields in the Source or Destination area.

IP Address—Specifies the source or destination host or network IP address. With this selection, the IP Address, ellipsis button, and Netmask fields become available. Select an IP address or host name from the drop-down list in the IP Address field or click the ellipsis (...) button to browse for an IP address or name. Select a network mask from the drop-down list.

Network Object Group—Specifies the name of the network object group. Select a name from the drop-down list or click the ellipsis (...) button to browse for a network object group name.

Interface IP—Specifies the interface on which the host or network resides. Select an interface from the drop-down list. The default values are inside and outside. There is no browse function.

Protocol and Service—Specifies the protocol and service to which this ACE filter applies. Service groups let you identify multiple non-contiguous port numbers that