Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Assignment Policy

68-9

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter68 Configuring IKE, Load Balancing, and NAC

Creating IKE Policies

Lifetime (secs)—Either check Unlimited or enter an integer for the SA lifetime. The default is 86,400

seconds or 24 hours. With longer lifetimes, the ASA sets up future IPsec security associations more

quickly. Encryption strength is great enough to ensure security without using very fast rekey times, on

the order of every few minutes. We recommend that you accept the default.

Time Measure—Choose a time measure. The ASA accepts the following values:.

Assignment Policy

IP addresses make internetwork connections possible. They are like telephone numbers: both the sender

and receiver must have an assigned number to connect. But with VPNs, there are actually two sets of

addresses: the first set connects client and server on the public network; and once that connection is

made, the second set connects client and server through the VPN tunnel.

In ASA address management, we are dealing with the second set of IP addresses: those private IP

addresses that connect a client with a resource on the private network, through the tunnel, and let the

client function as if it were directly connected to the private network. Furthermore, we are dealing only

with the private IP addresses that get assigned to clients. The IP addresses assigned to other resources

on your private network are part of your network administration responsibilities, not part of ASA

management.

Therefore, when we discuss IP addresses here, we mean those IP addresses available in your private

network addressing scheme, that let the client function as a tunnel endpoint.

The Assignment Policy pane lets you choose a way to assign IP addresses to remote access clients.

Fields

•Use authentication server—Choose to assign IP addresses retrieved from an authentication server

on a per-user basis. If you are using an authentication server (external or internal) that has IP

addresses configured, we recommend using this method. Configure AAA servers in the

Configuration> AAA Setup pane.

•Use DHCP— Choose to obtain IP addresses from a DHCP server. If you use DHCP, configure the

server in the Configuration> DHCP Server pane.

•Use internal address pools—Choose to have the ASA assign IP addresses from an internally

configured pool. Internally configured address pools are the easiest method of address pool

assignment to configure. If you use this method, configure the IP address pools in Configuration>

Remote Access VPN > Network (Client) Access > Address Assignment > Address Pools pane.

sha384 SHA 2, 384-bit

digest

Specifies the Secure Hash Algorithm SHA 2 with the 384-bit digest.

sha512 SHA 2, 512-bit

digest

Specifies the Secure Hash Algorithm SHA 2 with the 512-bit digest.

120 - 86,400 seconds

2 - 1440 minutes

1 - 24 hours

1 day

Cisco Systems Assignment Policy