Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 IPsec Settings (Optional)

6-6

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter6 VPN Wizards

IPsec IKEv1 Remote Access Wizard

The default, 3DES, is more secure than DES but requires more processing for encryption and

decryption. Similarly, the AES options provide increased security but also require increased

processing.

•Authentication—Choose the hash algorithm used for authentication and ensuring data integrity. The

default is SHA. MD5 has a smaller digest and is considered to be slightly faster than SHA. There

has been a demonstrated successful (but extremely difficult) attack against MD5. However, the

Keyed-Hash Message Authentication Code (HMAC) version used by the ASA prevents this attack.

•Diffie-Hellman Group—Choose the Diffie-Hellman group identifier, which the two IPsec peers use

to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit

Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).

Note The default value for the VPN 3000 Series Concentrator is MD5. A connection between the ASA and

the VPN Concentrator requires that the authentication method for Phase I and II IKE negotiations be the

same on both sides of the connection.

IPsec Settings (Optional)

Use the IPsec Settings (Optional) pane to identify local hosts/networks which do not require address

translation. By default, the ASA hides the real IP addresses of internal hosts and networks from outside

hosts by using dynamic or static Network Address Translation (NAT). NAT minimizes risks of attack by

untrusted outside hosts but may be improper for those who have been authenticated and protected by

VPN.

For example, an inside host using dynamic NAT has its IP address translated by matching it to a

randomly selected address from a pool. Only the translated address is visible to the outside. Remote VPN

clients that attempt to reach these hosts by sending data to their real IP addresses cannot connect to these

hosts, unless you configure a NAT exemption rule.

Note If you want all hosts and networks to be exempt from NAT, configure nothing on this pane. If you have

even one entry, all other hosts and networks are subject to NAT.

Fields

•Interface—Choose the name of the interface that connects to the hosts or networks you have

selected.

•Exempt Networks—Select the IP address of the host or network that you want to exempt from the

chosen interface network.

•Enable split tunneling—Select to have traffic from remote access clients destined for the public

Internet sent unencrypted. Split tunneling causes traffic for protected networks to be encrypted,

while traffic to unprotected networks is unencrypted. When you enable split tunneling, the ASA

pushes a list of IP addresses to the remote VPN client after authentication. The remote VPN client

encrypts traffic to the IP addresses that are behind the ASA. All other traffic travels unencrypted

directly to the Internet without involving the ASA.

•Enable Perfect Forwarding Secrecy (PFS)—Specify whether to use Perfect Forward Secrecy, and the

size of the numbers to use, in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each

new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys

unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys.

Cisco Systems IPsec Settings (Optional)