64-101
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 64 General VPN Setup
System Options
Authenticating SSL VPN Connections
The SSL VPN Connections > Advanced > Authentication dialog box lets you configure authentication
attributes for SSL VPN connections.
System Options
The System Options pane lets you configure features specific to VPN sessions on the adaptive security
appliance.
Fields
• Enable inbound IPsec sessions to bypass interface access-lists. Group policy and per-user
authorization access lists still apply to the traffic—By default, the adaptive security appliance allows
VPN traffic to terminate on a adaptive security appliance interface; you do not need to allow IKE or
ESP (or other types of VPN packets) in an access rule. When this option is checked, you also do not
need an access rule for local IP addresses of decrypted VPN packets. Because the VPN tunnel was
terminated successfully using VPN security mechanisms, this feature simplifies configuration and
maximizes the adaptive security appliance performance without any security risks. (Group policy
and per-user authorization access lists still apply to the traffic.)
You can require an access rule to apply to the local IP addresses by unchecking this option. The
access rule applies to the local IP address, and not to the original client IP address used before the
VPN packet was decrypted.
• Limit the maximum number of active IPsec VPN sessions—Enables or disables limiting the
maximum number of active IPsec VPN sessions. The range depends on the hardware platform and
the software license.
–
Maximum Active IPsec VPN Sessions—Specifies the maximum number of active IPsec VPN
sessions allowed. This field is active only when you select the preceding check box to limit the
maximum number of active IPsec VPN sessions.
• L2TP Tunnel Keep-alive Timeout—Specifies the frequency, in seconds, of keepalive messages. The
range is 10 through 300 seconds. The default is 60 seconds.
• Preserve stateful VPN flows when tunnel drops for Network-Extension Mode (NEM)—Enables or
disables preserving IPsec tunneled flows in Network-Extension Mode. With the persistent IPsec
tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data
continues flowing successfully because the security appliance still has access to the state
information. This option is disabled by default.
Note Tunneled TCP flows are not dropped, so they rely on the TCP timeout for cleanup. However, if
the timeout is disabled for a particular tunneled flow, that flow remains in the system until being
cleared manually or by other means (for example, by a TCP RST from the peer).
Firewall Mode Security Context
Routed Transparent Single
Multiple
Context System
• — • ——
To Next Page
Loading...
Need help?
General
