Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Add/Edit Tunnel Group > IPsec for LAN to LAN Access

69-104

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

Mapping Certificates to IPsec or SSL VPN Connection Profiles

–

Enable notification upon password expiration to allow user to change password—Checking this

check box makes the following two parameters available. If you do not also check the Enable

notification prior to expiration check box, the user receives notification only after the password

has expired.

–

Enable notification prior to expiration—When you check this option, the ASA notifies the

remote user at login that the current password is about to expire or has expired, then offers the

user the opportunity to change the password. If the current password has not yet expired, the

user can still log in using that password. This parameter is valid for AAA servers that support

such notification; that is, RADIUS, RADIUS with an NT server, and LDAP servers. The ASA

ignores this command if RADIUS or LDAP authentication has not been configured.

Note that this does not change the number of days before the password expires, but rather, it

enables the notification. If you check this check box, you must also specify the number of days.

–

Notify...days prior to expiration—Specifies the number of days before the current password

expires to notify the user of the pending expiration. The range is 1 through 180 days.

Modes

The following table shows the modes in which this feature is available:

Add/Edit Tunnel Group > IPsec for LAN to LAN Access > IPsec

The Add or Edit Tunnel Group dialog box for IPsec for Site-to-Site access, IPsec dialog box, lets you

configure or edit IPsec Site-to-Site-specific tunnel group parameters.

Fields

•Name—Specifies the name assigned to this tunnel group. For the Edit function, this field is

display-only.

•Type—(Display-only) Displays the type of tunnel group you are adding or editing. The contents of

this field depend on your selection on the previous dialog box.

•Pre-shared Key—Lets you specify the value of the pre-shared key for the tunnel group. The

maximum length of the pre-shared key is 128 characters.

•Trustpoint Name—Selects a trustpoint name, if any trustpoints are configured. A trustpoint is a

representation of a certificate authority. A trustpoint contains the identity of the CA, CA-specific

configuration parameters, and an association with one enrolled identity certificate.

•Authentication Mode—Specifies the authentication mode: none, xauth, or hybrid.

–

none—Specifies no authentication mode.

–

xauth—Specifies the use of IKE Extended Authentication mode, which provides the capability

of authenticating a user within IKE using TACACS+ or RADIUS.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Add/Edit Tunnel Group > IPsec for LAN to LAN Access > IPsec

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505