71-5
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter71 Configuring Easy VPN Services on the ASA 5505
Comparing Tunneling Options
If you configure an ASA 5505 to use TCP-encapsulated IPsec, enter the following command to let it send
large packets over the outside interface:
hostname(config)# crypto ipsec df-bit clear-df outside
hostname(config)#
This command clears the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within
the IP header that determines whether the packet can be fragmented. This command lets the Easy VPN
hardware client send packets that are larger than the MTU size.
The following example shows how to configure the Easy VPN hardware client to use TCP-encapsulated
IPsec, using the default port 10000, and to let it send large packets over the outside interface:
hostname(config)# vpnclient ipsec-over-tcp
hostname(config)# crypto ipsec df-bit clear-df outside
hostname(config)#
The next example shows how to configure the Easy VPN hardware client to use TCP-encapsulated IPsec,
using the port 10501, and to let it send large packets over the outside interface:
hostname(config)# vpnclient ipsec-over-tcp port 10501
hostname(config)# crypto ipsec df-bit clear-df outside
hostname(config)#
To remove the attribute from the running configuration, use the no form of this command, as follows:
no vpnclient ipsec-over-tcp
For example:
hostname(config)# no vpnclient ipsec-over-tcp
hostname(config)#
Comparing Tunneling Options
The tunnel types the Cisco ASA 5505 configured as an Easy VPN hardware client sets up depends on a
combination of the following factors:
Use of the split-tunnel-network-list and the split-tunnel-policy commands on the headend to
permit, restrict, or prohibit split tunneling. (See the Creating a Network List for Split-Tunneling,
page 67-50 and “Setting the Split-Tunneling Policy” section on page67-50, respectively.)
Split tunneling determines the networks for which the remote-access client encrypts and sends data
through the secured VPN tunnel, and determines which traffic it sends to the Internet in the clear.
Use of the vpnclient management command to specify one of the following automatic tunnel
initiation options:
tunnel to limit administrative access to the client side by specific hosts or networks on the
corporate side and use IPsec to add a layer of encryption to the management sessions over the
HTTPS or SSH encryption that is already present.
clear to permit administrative access using the HTTPS or SSH encryption used by the
management session.
no to prohibit management access