Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Add/Edit Internal Group Policy

69-30

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

ACL Manager

•Add ACE—Displays the Add Web Type ACE dialog box, in which you specify parameters for the

named ACL. This button is active only if there are one or more entries in the Web Type ACL table.

•Edit ACE/Delete—Click to edit or delete the highlighted ACL or ACE. When you delete an ACL,

you also delete all of its ACEs. No warning or undelete.

•Move Up/Move Down—Highlight an ACL or ACE and click these buttons to change the order of

ACLs and ACEs. The ASA checks ACLs and their ACEs in priority order according to their position

in the ACLs list box until it finds a match.

Modes

The following table shows the modes in which this feature is available:

Add/Edit Internal Group Policy > IPsec Client

The Add or Edit Group Policy > IPsec dialog box lets you specify tunneling protocols, filters, connection

settings, and servers for the group policy being added or modified.

Fields

•Re-Authentication on IKE Re-key—Enables or disables reauthentication when IKE re-key occurs,

unless the Inherit check box is checked. The user has 30 seconds to enter credentials, and up to three

attempts before the SA expires at approximately two minutes and the tunnel terminates.

•Allow entry of authentication credentials until SA expires—Allow users the time to reenter

authentication credentials until the maximum lifetime of the configured SA.

•IP Compression—Enables or disables IP Compression, unless the Inherit check box is checked.

•Perfect Forward Secrecy—Enables or disables perfect forward secrecy (PFS), unless the Inherit

check box is selected. PFS ensures that the key for a given IPsec SA was not derived from any other

secret (like some other keys). In other words, if someone were to break a key, PFS ensures that the

attacker would not be able to derive any other key. If PFS were not enabled, someone could

hypothetically break the IKE SA secret key, copy all the IPsec protected data, and then use

knowledge of the IKE SA secret to compromise the IPsec SAs set up by this IKE SA. With PFS,

breaking IKE would not give an attacker immediate access to IPsec. The attacker would have to

break each IPsec SA individually.

•Store Password on Client System—Enables or disables storing the password on the client system.

Note Storing the password on a client system can constitute a potential security risk.

•IPsec over UDP—Enables or disables using IPsec over UDP.

•IPsec over UDP Port—Specifies the UDP port to use for IPsec over UDP.

•Tunnel Group Lock—Enables locking the tunnel group you select from the list, unless the Inherit

check box or the value None is selected.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Add/Edit Internal Group Policy > IPsec Client