Chapter 17 Configuring Virtual Private Networks
Sample ASA configuration summary
!--- Group-policy
group-policy GroupPhoneWebvpn internal group-policy GroupPhoneWebvpn attributes
banner none vpn-simultaneous-logins 10 vpn-idle-timeout none vpn-session-timeout none vpn-tunnel-protocol IPSec svc webvpn default-domain value nw048b.cisco.com address-pools value Webvpn_POOL webvpn
svc dtls enable
svc keep-installer installed svc keepalive 120
svc rekey time 4
svc rekey method new-tunnel svc dpd-interval client none svc dpd-interval gateway 300 svc compression deflate
svc ask none default webvpn
!--- Configure user attributes
username test password S.eA5Qq5kwJqZ3QK encrypted username test attributes
vpn-group-policy GroupPhoneWebvpn service-type remote-access
!—Configure username with Phone MAC address for certificate+password method username CP-7975G-SEP001AE2BC16CB password k1kLGQIoxyCO4ti9 encrypted username CP-7975G-SEP001AE2BC16CB attributes
vpn-group-policy GroupPhoneWebvpn service-type remote-access
!--- Configure tunnel group for username-password authentication tunnel-group VPNphone type remote-access
tunnel-group VPNphone general-attributes address-pool Webvpn_POOL default-group-policy GroupPhoneWebvpn
tunnel-group VPNphone webvpn-attributes group-url https://10.89.79.135/VPNphone enable
!--- Configure tunnel group with certificate only authentication tunnel-group CertOnlyTunnelGroup type remote-access tunnel-group CertOnlyTunnelGroup general-attributes
default-group-policy GroupPhoneWebvpn tunnel-group CertOnlyTunnelGroup webvpn-attributes
authentication certificate
group-url https://10.89.79.135/CertOnly enable
!--- Configure tunnel group with certificate + password authentication tunnel-group CertPassTunnelGroup type remote-access
tunnel-group CertPassTunnelGroup general-attributes authorization-server-group LOCAL default-group-policy GroupPhoneWebvpn username-from-certificate CN
tunnel-group CertPassTunnelGroup webvpn-attributes authentication aaa certificate pre-fill-username ssl-client
group-url https://10.89.79.135/CertPass enable
!
class-map inspection_default match default-inspection-traffic
!
| Cisco Unified Communications Manager Security Guide |
17-14 | OL-24124-01 |
