3D Innovations 3.0.1 appendix Select the required setting for the DF bit

Page 52

Appendix B Site-to-Site VPN User Interface Reference

Site to Site VPN Policies

Table B-18

VPN Global Settings Page > General Settings Tab (continued)

 

 

 

 

Element

 

 

Description

 

 

 

 

DF Bit

 

 

Supported on Cisco IOS routers, Catalyst 6500/7600 devices,

 

 

 

 

 

PIX 7.0 and ASA devices.

 

 

 

 

 

A Don't Fragment (DF) bit within an IP header determines whether

 

 

 

 

 

a device is allowed to fragment a packet. For more information, see

 

 

 

 

 

Understanding Fragmentation, page 9-72.

 

 

 

 

 

Select the required setting for the DF bit:

 

 

 

 

 

Copy—To copy the DF bit from the encapsulated header in the

 

 

 

 

 

current packet to all the device’s packets. If the packet’s DF bit

 

 

 

 

 

is set to fragment, all future packets will be fragmented. This is

 

 

 

 

 

the default option.

 

 

 

 

 

Set—To set the DF bit in the packet you are sending. A large

 

 

 

 

 

packet that exceeds the MTU will be dropped and an ICMP

 

 

 

 

 

message sent to the packet’s initiator.

 

 

 

 

 

Clear—If you want the device to fragment packets regardless

 

 

 

 

 

of the original DF bit setting. If ICMP is blocked, MTU

 

 

 

 

 

discovery will fail and packets will only be fragmented after

 

 

 

 

 

encryption.

 

 

 

Enable Fragmentation Before

 

Supported on Cisco IOS routers, Catalyst 6500/7600 devices,

Encryption

 

 

PIX 7.0 and ASA devices.

 

 

 

 

 

When selected, enables fragmentation to occur before encryption, if

 

 

 

 

 

the expected packet size exceeds the MTU.

 

 

 

 

 

Lookahead Fragmentation (LAF) is used before encryption takes

 

 

 

 

 

place to calculate the packet size that would result after encryption,

 

 

 

 

 

depending on the transform sets configured on the IPSec SA. If the

 

 

 

 

 

packet size exceeds the specified MTU, the packet will be

 

 

 

 

 

fragmented before encryption.

 

 

 

Enable Notification on

 

Supported on PIX 7.0 and ASA devices.

Disconnection

 

When selected, enables the device to notify qualified peers of

 

 

 

 

 

 

 

 

 

 

sessions that are about to be disconnected. The peer receiving the

 

 

 

 

 

alert decodes the reason and displays it in the event log or in a

 

 

 

 

 

pop-up panel. This feature is disabled by default.

 

 

 

 

 

 

 

 

User Guide for Cisco Security Manager 3.0.1

 

 

 

B-52

 

 

 

 

OL-8214-02

 

 

 

 

 

 

 

 

 

 

 

 

Page 51 Page 53
Image 52
Page 51 Page 53
Contents Site-to-Site VPN User Interface Reference Understanding VPN Topologies, Working with VPN Topologies,B-3 and Peers Page, page B-7 VPN SummaryB-37 Configuring High Availability in Your VPN Topology, Configuring VRF-Aware IPSec Settings,Configuring an IKE Proposal, Configuring IPSec Proposals,Understanding IPSec Technologies and Policies, Topology. See IKE Proposal Page, page B-37See IPSec Proposal Page, page B-39 B-53High Availability Page, page B-34 See GRE Modes Page, page B-59IPSec Tab, page B-28 Peers Managing VPN Devices in Device View,Create VPN Wizard Topology. See Device Selection Page, page B-10Name and Technology Device Selection Editing a VPN Topology,Defining a Name and IPSec Technology, B-10Navigation Path Page, page B-9 Endpoints See VPN Interface Tab, page B-17 See Edit Endpoints Dialog Box, page B-16 Tab, page B-24B-34 Edit Endpoints Dialog Box VPN Interface Tab Procedure for Configuring a Vpnsm or VPN SPA Blade, Information, see Interface Roles Page, page C-126IP Address for IPSec Termination -To enter manually the IP More information, see Interface Roles Page, page C-126More information, see Configuring Dialer Interfaces on Cisco IOS Routers,Defining VPN Services Module Vpnsm or VPN SPA Settings Box, page B-32VPN SPA Blade, For more information, see Adding VPN SPA Slot Locations Protected Networks Tab IP Address for IPSec Termination-To enter manually the IPTable B-9 Edit Endpoints Dialog Box Protected Networks Tab More information, see Editing Access Control List Objects Fwsm TabMore information, see Editing Interface Role Objects, Information, see Editing Network/Host Objects,Table B-10 Edit Endpoints Dialog Box Fwsm Tab VRF Aware IPSec Tab For more information, see Interface Roles Page, page C-126Table B-11 Edit Endpoints Dialog Box VRF Aware IPSec Tab Solution, IPSec Two-Box Solution,C-126 RoutersDial Backup Settings Dialog Box Summary page. See VPN Summary Page, page B-3Table B-12 Dial Backup Settings Dialog Box High Availability Table B-13 Create VPN wizard High Availability Policy configured. See VPN Summary Page, page B-3 For more information, see Enabling Stateful Failover,Site to Site VPN Policies IKE ProposalUnderstanding Preshared Key Policies, Site-to-Site VPN Policies in Policy View,More information, see IKE Proposal Dialog Box, page C-123 IKE, IPSec ProposalC-123 Shared Site-to-Site VPN Policies in Policy View, For more information, see About Crypto Maps,IPSec Transform Sets Page, page C-130 For more information, see About Transform Sets,To Use, Element Description VPN Global Settings ISAKMP/IPSec Settings TabConfiguring VPN Global Settings, For more information, see About IKE Keepalive,See Understanding IKE, Appendix B Site-to-Site VPN User Interface Reference NAT Settings Tab VPN Global Settings Page, page B-44 Understanding NAT,For more information, see About NAT Traversal, NAT,General Settings Tab For more information, see Understanding Fragmentation Select the required setting for the DF bit Preshared Key Table B-19 Preshared Key Element Description Negotiation Method Public Key Infrastructure C-140 Working with PKI Enrollment Objects,Attributes, FlexConfig see Working with FlexConfigs, GRE ModesTable B-21 GRE Modes Page GRE or GRE Dynamic IP Policy GRE?, OL-8214-02 Configuring Cisco IOS Router Interfaces, OL-8214-02 Configuration of GRE, For more information, see Prerequisites for SuccessfulElement Description Preshared Key Policies, For more information, see Configuring Cisco IOS Router Interfaces,Easy VPN IPSec Proposal Understanding Easy VPN, For more information, see Understanding NAT, Group Objects, Device Access Policies,More information, see Working with AAA Server Group Objects Working with User Group Objects, User Group PolicyFor more information, see Editing User Group Objects, Tunnel Group Policy PIX 7.0/ASA Tunnel Group Policy General Tab For more information, see Working with ASA User Groups Client Address Assignment Tunnel Group Policy IPSec Tab Network/Host Objects,For more information, see Supported AAA Server Types Tunnel Group Policy Advanced Tab More information, see Working with Interface Role Objects Tunnel Group Policy Client VPN Software Update Tab Tunnel Group Policy PIX 7.0/ASAClient Connection Characteristics Table B-29 Easy VPN Remote Client Connection Characteristics About Locking in Site-to-Site VPN Topologies, Working with Site-to-Site VPN Policies,For more information, see About Editing a VPN Topology See Site to Site VPN Policies, page B-37For more information, see Deleting a VPN Topology, OL-8214-02 OL-8214-02
Top Page Image Contents