30-41
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
The Access page opens. For a description of the elements on this page, see SSL VPN Access Policy Page,
page 30-37.
Step 2 In the interface table at the top of the policy, configure all of the interfaces on which you will allow
remote access SSL or IKEv2 IPSec VPN connections:
To add an interface, click the Add Row (+) button beneath the table and fill in the Add Access
Interface Configuration dialog box. You must specify the interface name (or an interface role object
that identifies the desired interfaces) and whether to allow access on the interface.
You can also specify the PKI enrollment object that identifies the Certificate Authority (CA) server
trustpoint for the interface (and a load balancing trustpoint if you use load balancing), whether to
enable DTLS connections, and whether to require that the client have a valid certificate to complete
a connection. For details about the options, see Access Interface Configuration Dialog Box,
page 30-40.
To edit the settings for an interface, select it and click the Edit Row (pencil) button.
To delete an interface, select it and click the Delete Row button. Keep in mind that you can edit the
interface settings to disable access, so you should delete an interface only if you want to permanently
remove it from VPN use.
Step 3 Configure the remaining settings. The settings are described in detail in SSL VPN Access Policy Page,
page 30-37. The following are the settings that are of particular interest:
Fallback Trustpoint—The Certificate Authority (CA) server trustpoint to use if an interface does
not have a trustpoint configured in the table. Enter the name of a PKI enrollment object, or click
Select to select one or to create a new object.
Allow Users to Select Connection Profile in Portal Page—If you have multiple tunnel groups,
selecting this option allows the user to select the correct tunnel group during login. You must select
this option for IKEv2 IPSec VPNs.
Enable AnyConnect Access—The AnyConnect VPN client is a full client; you must enable
AnyConnect access if you want to allow full client access to the VPN. You must select this option
for IKEv2 IPSec VPNs.
For more information about AnyConnect, including AnyConnect Essentials, see Understanding SSL
VPN AnyConnect Client Settings, page 30-52.
Enable AnyConnect Essentials—Select this option if you are using AnyConnect Essentials clients,
which you can use with remote access SSL or IKEv2 IPSec VPNs.
Step 4 Any trustpoints that you specify in this policy must also be selected in the Public Key Infrastructure
policy. For more information, see Configuring Public Key Infrastructure Policies for Remote Access
VPNs, page 25-52.
Configuring Other SSL VPN Settings (ASA)
The SSL VPN Other Settings policy for ASA devices defines settings that include caching, content
rewriting, character encoding, proxy and proxy bypass definitions, browser plug-ins, AnyConnect client
images and profiles, Kerberos Constrained Delegation, and some other advanced settings.
To configure the Other Settings policy, do one of the following:
(Device View) Select Remote Access VPN > SSL VPN > Other Settings from the Policy selector.
(Policy View) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy
Type selector. Select an existing policy or create a new one.