33-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 33 Configuring Policy Objects for Remote Access VPNs
ASA Group Policies Dialog Box
ASA Group Policies IPSec Settings
Use the IPsec settings to specify tunneling protocols, filters, connection settings, and servers for the ASA
group policy for Easy VPN or remote access IPSec VPN. This creates security associations that govern
authentication, encryption, encapsulation, and key management.
Navigation Path
Select Easy VPN/IPSec VPN > IPsec from the table of contents in the ASA Group Policies Dialog Box,
page 33-1.
Enable LEAP Bypass Whether to enable Lightweight Extensible Authentication Protocol
(LEAP) packets from wireless devices behind a VPN hardware client to
travel across a VPN tunnel prior to user authentication. This action lets
workstations using Cisco wireless access point devices establish LEAP
authentication and then authenticate again per user authentication.
Note LEAP is an 802.1X wireless authentication method that
implements mutual authentication between a wireless client on
one side of a connection and a RADIUS server on the other
side. The credentials used for authentication, including a
password, are always encrypted before they are transmitted
over the wireless medium.
Allow Network Extension
Mode
Whether to enable network extension mode for hardware clients.
Network extension mode lets hardware clients present a single, routable
network to the remote private network over the VPN tunnel. IPsec
encapsulates all traffic from the private network behind the hardware
client to networks behind the security appliance. PAT does not apply.
Devices behind the security appliance have direct access to devices on
the private network behind the hardware client over the tunnel, and only
over the tunnel, and vice versa. The hardware client must initiate the
tunnel, but after the tunnel is up, either side can initiate data exchange.
Idle Timeout Mode How to handle periods of inactivity from individual clients:
Specified Timeout—If there is no communication activity by a user
behind a hardware client for the number of minutes you specify, the
security appliance terminates the client’s access. Values are
1-35791394 minutes.
Unlimited Timeout—User sessions are not terminated due to
inactivity.
Table33-4 ASA Group Policies Hardware Client Attributes (Continued)
Element Description