1-12
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Easy VPN Services on the ASA 5505
  Guidelines for Configuring the Easy VPN Server
Note IPsec NAT-T connections are the only IPsec connection types supported on the home VLAN of a Cisco 
ASA 5505. IPsec over TCP and native IPsec connections are not supported. 
Authentication Options
The ASA 5505 supports the following authentication mechanisms, which it obtains from the group 
policy stored on the Easy VPN Server. The following list identifies the authentication options supported 
by the Easy VPN hardware client, however, you must configure them on the Easy VPN server:
• Secure unit authentication (SUA, also called Interactive unit authentication)
Ignores the vpnclient username Xauth command (described in “Configuring Automatic Xauth 
Authentication” section on page 1-4) and requires the user to authenticate the ASA 5505 by entering 
a password. By default, SUA is disabled. You can use the secure-unit-authentication enable 
command in group-policy configuration mode to enable SUA. See Configuring Secure Unit 
Authentication, page 1-66.
• Individual user authentication
Requires users behind the ASA 5505 to authenticate before granting them access to the enterprise 
VPN network. By default, IUA is disabled. To enable the IUA, use the user-authentication enable 
command in group-policy configuration mode. See Configuring User Authentication, page 1-67.
The security appliance works correctly from behind a NAT device, and if the ASA5505 is configured 
in NAT mode, the provisioned IP (to which the clients all PAT) is injected into the routing table on 
the central-site device.
Caution Do not configure IUA on a Cisco ASA 5505 configured as an Easy VPN server if a NAT device 
is operating between the server and the Easy VPN hardware client.
Use the user-authentication-idle-timeout command to set or remove the idle timeout period after 
which the Easy VPN Server terminates the client’s access. See Configuring an Idle Timeout, 
page 1-67.
• Authentication by HTTP redirection
The Cisco Easy VPN server intercepts HTTP traffic and redirects the user to a login page if one of 
the following is true:
–
SUA or the username and password are not configured on the Easy VPN hardware client.
–
IAU is enabled.
HTTP redirection is automatic and does not require configuration on the Easy VPN Server.
• Preshared keys, digital certificates, tokens and no authentication
The ASA 5505 supports preshared keys, token-based (e.g., SDI one-time passwords), and “no user 
authentication” for user authentication. NOTE: The Cisco Easy VPN server can use the digital 
certificate as part of user authorization. See Chapter 1, “Configuring IPsec and ISAKMP” for 
instructions.