30-61
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter30 Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
Working with SSL and IKEv2 IPSec VPN Policies
Configuring SSL VPN Advanced Settings (ASA)
Use the Advanced tab of the SSL VPN Other Settings page to configure the memory, on-screen
keyboard, and internal password features on ASA devices. All of these settings are optional.
Related Topics
Configuring Other SSL VPN Settings (ASA), page 30-41
Step 1 Do one of the following:
(Device view) With an ASA device selected, select Remote Access VPN > SSL VPN > Other
Settings from the Policy selector.
(Policy view) Select Remote Access VPN > SSL VPN > Other Settings (ASA) from the Policy
Type selector. Select an existing policy or create a new one.
Step 2 On the Other Settings page, click the Advanced Tab.
Step 3 In the Memory Size field, specify the amount of memory you want to allocate to SSL VPN sessions.
The default is 50%.
To change the setting, select one of the following options and enter the desired number:
% of Total Physical Memory—As a percentage of total memory. Default is 50%.
Kilobytes—In kilobytes. 20KB is the minimum setting allowed. Cisco recommends that you do not
specify memory in terms of KB because different ASA models have different total amounts of
memory, for example:
Note When you change the memory size, the new setting takes effect only after the system reboots.
Step 4 In the Enable On-Screen Keyboard field, select one of the following options:
Disabled—The on-screen keyboard is not displayed. Users must input their credentials using the
standard keyboard. This is the default.
On All Pages—Allows a user to input credentials using an on-screen keyboard, which is displayed
whenever logon credentials are required.
On Logon Page Only—Allows a user to input credentials using an on-screen keyboard, which is
displayed on the logon page but not on any other pages that require credentials.
Step 5 Select Allow Users to Enter Internal Password to require an additional password when accessing
internal sites. This feature is useful if you require that the internal password be different from the SSL
VPN password. For example, you can use a one-time password for authentication to ASA and another
password for internal sites.
Configuring SSL VPN Server Verification (ASA)
When connecting to a remote SSL-enabled server through clientless SSL VPN, it is important to know
that you can trust the remote server, and that it is in fact the server you are trying to connect to. ASA 9.0
introduces support for SSL server certificate verification against a list of trusted certificate authority
(CA) certificates for clientless SSL VPN.