30-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Configuring Connection Profiles (ASA, PIX 7.0+)
UDP Port—Specify the UDP destination port for the virtual cluster to which the device belongs.
The port is typically 9023, but if that port is in use by another application, enter the UDP destination
port number that you want to use for load balancing.
Enable IPSec Encryption, IPSec Shared Secret—If required, select Enable IPsec Encryption to
ensure that all load-balancing information communicated between the devices is encrypted. If you
select this option, also enter (and confirm) the shared secret password. This can be a case-sensitive
value between 4 and 16 characters, without spaces. The security appliances in the virtual cluster
communicate through LAN-to-LAN tunnels using IPsec. This password must match the passwords
passed on by the client.
Step 4 Configure the priority of the server in the cluster. Select one of the following options:
Accept default device value—To accept the default priority value assigned to the device.
Configure same priority on all devices in the cluster—To configure the same priority value to all
the devices in the cluster. Then enter the priority number (1-10) to indicate the likelihood of the
device becoming the virtual cluster master, either at startup or when the existing master fails.
Step 5 Specify the public and private interfaces to be used on the server:
Public Interfaces—The public interfaces to be used on the server. Enter the name of an interface or
interface role object, or click Select to select the interface or role or to create a new role.
Private Interfaces—The private interfaces to be used on the server. Enter the name of an interface
or interface role object, or click Select to select the interface or role or to create a new role.
Step 6 If required, select Send FQDN to client instead of an IP address when redirecting to enable
redirection using fully-qualified domain names. This option is available only for ASA devices running
8.0(2) or later. For more information, see Understanding Cluster Load Balancing (ASA), page 30-4.
Configuring Connection Profiles (ASA, PIX 7.0+)
A connection profile is a set of records that contain VPN tunnel connection policies, including the
attributes that pertain to creating the tunnel itself. Connection profiles identify the group policies for a
specific connection, which includes user-oriented attributes. If you do not assign a group policy to a user,
the default connection profile for the connection applies. You can create one or more connection profiles
specific to your environment. You can configure connection profiles on the local remote access VPN
server or on external AAA servers.
When you discover remote access VPN policies on a device, Security Manager adds the default
connection profiles to the policy. You can edit these profiles, and the associated DlftGrpPolicy (renamed
in Security Manager as <device_display_name>DfltGrpPolicy), but you cannot delete them. The
following default connection profiles are supported in Security Manager:
DefaultRAGroup—The default connection profile for remote access IPsec VPNs.
DefaultWEBVPNGroup—The default connection profile for SSL VPNs. This connection profile is
discovered only for ASA 8.0+ devices.
If you are configuring a connection profile on an ASA device, you have the option of configuring double
authentication. The double authentication feature implements two-factor authentication for remote
access to the network, in accordance with the Payment Card Industry Standards Council Data Security
Standard. This feature requires that the user enter two separate sets of login credentials at the login page.
For example, the primary authentication might be a one-time password, and the secondary authentication
might be a domain (Active Directory) credential. If the primary credential authentication fails, the
security appliance does not attempt to validate the secondary credentials. If either authentication fails,