30-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Overview of Remote Access VPN Policies for ASA and PIX 7.0+ Devices
Customizing Clientless SSL VPN Portals, page 30-65
Overview of Remote Access VPN Policies for ASA and PIX 7.0+ Devices
When you configure remote access VPNs on ASA or PIX 7.0+ devices, you use the following policies
based on the type of VPN you are configuring. Possible remote access VPN types are: IKE version 1
(IKEv1) IPsec, IKE version 2 (IKEv2) IPsec, and SSL. IKEv2 is supported on ASA 8.4(x) devices only.
Table 30-1 explains the conditions under which these policies are required or optional.
Note You cannot configure SSL VPNs on PIX devices; PIX devices support remote access IKEv1 IPsec VPNs
only.
Policies used with remote access IKEv1 and IKEv2 IPsec and SSL VPNs:
ASA Cluster Load Balancing—In a remote client configuration in which you are using two or
more devices connected to the same network to handle remote sessions, you can configure these
devices to share their session load. This feature is called load balancing. Load balancing directs
session traffic to the least loaded device, thus distributing the load among all devices. Load
balancing is effective only on remote sessions initiated with an ASA device. For more
information, see Understanding Cluster Load Balancing (ASA), page 30-4.
Connection Profiles—A connection profile is a set of records that contain VPN tunnel
connection policies, including the attributes that pertain to creating the tunnel itself. Connection
profiles identify the group policies for a specific connection, which includes user-oriented
attributes. For more information, see Configuring Connection Profiles (ASA, PIX 7.0+),
page 30-6.
Dynamic Access—Multiple variables can affect each VPN connection, for example, intranet
configurations that frequently change, the various roles that each user might inhabit within an
organization, and logins from remote access sites with different configurations and levels of
security. Dynamic access policies (DAP) let you configure authorization that addresses these
many variables. You create a dynamic access policy by setting a collection of access control
attributes that you associate with a specific user tunnel or session. For more information, see
Chapter 31, “Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+
Devices)”.
Global Settings—You can define global settings that apply to all devices in your remote access
VPNs. These settings include Internet Key Exchange (IKE), IKEv2, IPsec, NAT, and
fragmentation definitions. The global settings typically have defaults that work in most
situations, so configuring the Global Settings policy is optional in most cases; configure it only
if you need non-default behavior or if you are supporting IKEv2 negotiations. For more
information, see Configuring VPN Global Settings, page25-29.
Group Policies—You can view the user group policies defined for your remote access VPN
connection profiles. From this page, you can specify new ASA user groups and edit existing
ones. When you create a connection profile, if you specify a group policy that has not been used
on the device, the group policy is automatically added to the Group Policies page; you do not
need to add it to this policy before you create the connection profile. For more information, see
Configuring Group Policies for Remote Access VPNs, page 30-21.