71-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter71 Configuring Easy VPN Services on the ASA 5505
Guidelines for Configuring the Easy VPN Server
Note IPsec NAT-T connections are the only IPsec connection types supported on the home VLAN of a Cisco
ASA 5505. IPsec over TCP and native IPsec connections are not supported.
Authentication Options
The ASA 5505 supports the following authentication mechanisms, which it obtains from the group
policy stored on the Easy VPN Server. The following list identifies the authentication options supported
by the Easy VPN hardware client, however, you must configure them on the Easy VPN server:
Secure unit authentication (SUA, also called Interactive unit authentication)
Ignores the vpnclient username Xauth command (described in “Configuring Automatic Xauth
Authentication” section on page71-4) and requires the user to authenticate the ASA 5505 by
entering a password. By default, SUA is disabled. You can use the secure-unit-authentication
enable command in group-policy configuration mode to enable SUA. See Configuring Secure Unit
Authentication, page67-53.
Individual user authentication
Requires users behind the ASA 5505 to authenticate before granting them access to the enterprise
VPN network. By default, IUA is disabled. To enable the IUA, use the user-authentication enable
command in group-policy configuration mode. See Configuring User Authentication, page67-53.
The security appliance works correctly from behind a NAT device, and if the ASA5505 is configured
in NAT mode, the provisioned IP (to which the clients all PAT) is injected into the routing table on
the central-site device.
Caution Do not configure IUA on a Cisco ASA 5505 configured as an Easy VPN server if a NAT device
is operating between the server and the Easy VPN hardware client.
Use the user-authentication-idle-timeout command to set or remove the idle timeout period after
which the Easy VPN Server terminates the client’s access. See Configuring an Idle Timeout,
page 67-54.
Authentication by HTTP redirection
The Cisco Easy VPN server intercepts HTTP traffic and redirects the user to a login page if one of
the following is true:
SUA or the username and password are not configured on the Easy VPN hardware client.
IAU is enabled.
HTTP redirection is automatic and does not require configuration on the Easy VPN Server.
Preshared keys, digital certificates, tokens and no authentication
The ASA 5505 supports preshared keys, token-based (e.g., SDI one-time passwords), and “no user
authentication” for user authentication. NOTE: The Cisco Easy VPN server can use the digital
certificate as part of user authorization. See Chapter 64, “Configuring IPsec and ISAKMP” for
instructions.