Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 System Options

69-111

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

System Options

The SSL VPN Connections > Advanced > Authentication dialog box lets you configure authentication

attributes for SSL VPN connections.

System Options

The System Options pane lets you configure features specific to VPN sessions on the ASA.

Fields

•Enable inbound IPsec sessions to bypass interface access-lists. Group policy and per-user

authorization access lists still apply to the traffic—By default, the ASA allows VPN traffic to

terminate on an ASA interface; you do not need to allow IKE or ESP (or other types of VPN packets)

in an access rule. When this option is checked, you also do not need an access rule for local IP

addresses of decrypted VPN packets. Because the VPN tunnel was terminated successfully using

VPN security mechanisms, this feature simplifies configuration and maximizes the ASA

performance without any security risks. (Group policy and per-user authorization access lists still

apply to the traffic.)

You can require an access rule to apply to the local IP addresses by unchecking this option. The

access rule applies to the local IP address, and not to the original client IP address used before the

VPN packet was decrypted.

•Limit the maximum number of active IPsec VPN sessions—Enables or disables limiting the

maximum number of active IPsec VPN sessions. The range depends on the hardware platform and

the software license.

–

Maximum Active IPsec VPN Sessions—Specifies the maximum number of active IPsec VPN

sessions allowed. This field is active only when you select the preceding check box to limit the

maximum number of active IPsec VPN sessions.

•L2TP Tunnel Keep-alive Timeout—Specifies the frequency, in seconds, of keepalive messages. The

range is 10 through 300 seconds. The default is 60 seconds.

•Preserve stateful VPN flows when tunnel drops for Network-Extension Mode (NEM)—Enables or

disables preserving IPsec tunneled flows in Network-Extension Mode. With the persistent IPsec

tunneled flows feature enabled, as long as the tunnel is recreated within the timeout dialog box, data

continues flowing successfully because the security appliance still has access to the state

information. This option is disabled by default.

Note Tunneled TCP flows are not dropped, so they rely on the TCP timeout for cleanup. However, if

the timeout is disabled for a particular tunneled flow, that flow remains in the system until being

cleared manually or by other means (for example, by a TCP RST from the peer).

Modes

The following table shows the modes in which this feature is available:

Cisco Systems System Options