Cisco Systems OL-5532-02 Defining PIX Firewall-Specific Parameters, Reverse Route, Injection

Page 17

Chapter 4 Remote Access VPN Services

Creating Remote Access VPN Policies

Table 4-6 Cisco IOS Editor Fields

Field Name

 

Type

Instructions

 

 

 

 

 

 

Reverse Route

 

checkbox

Check to enable reverse route injection (RRI). RRI injects the host route into the

Injection

 

 

routing table for the IP address that was allocated out of the remote access address

 

 

 

pool. (RRI uses the host address as the route destination in the route entry of the

 

 

 

routing table.) This allows the creation of a static route for a remote, protected

 

 

 

network.

 

 

 

This feature is also used for Network-Based Remote Access. For more information

 

 

 

on Network-Based Remote Access, refer to the Cisco IP Solution Center Integrated

 

 

 

VPN Management Suite Network-Based IPsec VPN User Guide, 3.2.

 

 

 

 

 

Reverse Route

 

checkbox

To enable this option, you must first check Reverse Route Injection and then you

Remote Peer

 

 

can check Reverse Route Remote Peer, as shown in Figure 4-17. The Reverse

 

 

 

Route Remote Peer option creates a route in the routing table for the remote tunnel

 

 

 

endpoint.

 

 

 

 

 

Group Lock

 

checkbox

The Group Lock option ties user group membership to IKE negotiation user

 

 

 

authentication during XAuth. Check the box to enable. Uncheck the box to disable

 

 

 

this option.

 

 

 

 

 

Step 3

Click Next to continue to the Remote Access VPN Policy – PIX Firewall Editor page as described in the

 

“Defining PIX Firewall-Specific Parameters” section on page 4-17.

 

 

 

 

 

Defining PIX Firewall-Specific Parameters

Perform the following steps if you are provisioning remote access on Cisco PIX security appliances in your network:

Step 1 The Remote Access VPN Policy – PIX Firewall Editor page appears as shown in Figure 4-18.

Cisco IP Solution Center Integrated VPN Management Suite Security User Guide, 3.2

 

OL-5532-02

4-17

 

 

 

Image 17
Contents Remote Access VPN Services Adding AAA Server Devices to Your Repository AAA Servers Name TimeoutOwner Select button IP AddressCreating Encryption Policies Policies Click Remote Access VPN PolicyRemote Access VPN Policy General Editor Confirm Password Group PasswordXAuth Timeout Use ModeDefault Domain AuthenticationNAT Traversal IKE NAT KeepaliveDefining Address Pools Remote Access VPN Policy Address PoolsNet Mask Starting AddressEnding Address Defining Split Tunneling Networks Optional 11 Remote Access VPN Policy Split Tunneling Network ListPolicy Split TunnelingGenerate Create14 The Everything Option for Split Tunneling Defining the Remote Access User List OptionalUser ID PasswordDefining Cisco IOS Software-Specific Parameters SA Idle TimeoutEnabled SA Idle Timeout Reverse Route Defining PIX Firewall-Specific ParametersInjection Group LockDefining VPN 3000-Specific Parameters Idle TimeoutMax Connect Time Sysopt ConnectionOnly Passwords Logins Min PasswordAuthentication on SimultaneousDefining the VPN 3000 Access Hours Control Defining the VPN 3000 L2TP ParametersStart Time End TimeL2TP Compression Use Client AddressRequired Require StatelessMSCHAPv2 SummaryMSCHAPv1 23 The Policies Page with Policy Status Displayed Creating Remote Access VPN Service Requests Description Network-basedIPsec Policies Remote AccessAAA Servers CPEs29 CPEs Associated with Remote Access Service Dialog Box 31 Add/Remove Templates Dialog Box 32 The Template DataFile Chooser Active ActionOL-5532-02