Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 VPN Wizards

CHAPT ER

6-1

Cisco ASA 5500 Series Configuration Guide using ASDM

VPN Wizards

The ASA provides Secure Socket Layer (SSL) remote access connectivity from almost any

Internet-enabled location using only a Web browser and its native SSL encryption. Clientless,

browser-based VPN lets users establish a secure, remote-access VPN tunnel to the adaptive security

appliance using a web browser. After authentication, users access a portal page and can access specific,

supported internal resources. The network administrator provides access to resources by users on a group

basis. Users have no direct access to resources on the internal network.

The Cisco AnyConnect VPN client provides secure SSL connections to the ASA for remote users with

full VPN tunneling to corporate resources. Without a previously-installed client, remote users enter the

IP address in their browser of an interface configured to accept clientless VPN connections. The ASA

downloads the client that matches the operating system of the remote computer. After downloading, the

client installs and configures itself, establishes a secure connection and either remains or uninstalls itself

(depending on the ASA configuration) when the connection terminates. In the case of a previously

installed client, when the user authenticates, the ASA examines the revision of the client and upgrades

the client as necessary.

With the addition of IKEv2 support in release 8.4, the end user can have the same experience

independent of the tunneling protocol used by the AnyConnect client session. This addition allows other

vendors’ VPN clients to connect to the ASAs. This support enhances security and complies with the

IPsec remote access requirements defined in federal and public sector mandates.

The VPN wizard lets you configure basic LAN-to-LAN and remote access VPN connections and assign

either preshared keys or digital certificates for authentication. Use ASDM to edit and configure advanced

features.

The ASA creates a Virtual Private Network by creating a secure connection across a TCP/IP network

(such as the Internet) that users see as a private connection. It can create single-user-to-LAN connections

and LAN-to-LAN connections.

For LAN-to-LAN connections using both IPv4 and IPv6 addressing, the security appliance supports

VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks

have matching addressing schemes (both IPv4 or both IPv6). This is also true if both peer inside

networks are IPv6 and the outside network is IPv6.

The secure connection is called a tunnel, and the ASA uses tunneling protocols to negotiate security

parameters, create and manage tunnels, encapsulate packets, transmit or receive them through the tunnel,

and unencapsulate them. The ASA functions as a bidirectional tunnel endpoint: it can receive plain

Cisco Systems VPN Wizards