Overview of Remote Access VPN Policies for ASA and PIX 7.0+ Devices
Note |
From version 4.17, though Cisco Security Manager continues to support PIX features/functionality, it does not support any enhancements. |
When you configure remote access VPNs on ASA or PIX 7.0+ devices, you use the following policies based on the type of VPN you are configuring. Possible remote access VPN types are: IKE version 1 (IKEv1) IPsec, IKE version 2 (IKEv2) IPsec, and SSL. IKEv2 is supported on ASA devices running the software version 8.4(x) and later. Table 1 explains the conditions under which these policies are required or optional.
Note |
You cannot configure SSL VPNs on PIX devices; PIX devices support remote access IKEv1 IPsec VPNs only. |
-
Policies used with remote access IKEv1 and IKEv2 IPsec and SSL VPNs:
-
ASA Cluster Load Balancing—In a remote client configuration in which you are using two or more devices connected to the same network to handle remote sessions, you can configure these devices to share their session load. This feature is called load balancing. Load balancing directs session traffic to the least loaded device, thus distributing the load among all devices. Load balancing is effective only on remote sessions initiated with an ASA device. For more information, see Understanding Cluster Load Balancing (ASA).
-
Connection Profiles—A connection profile is a set of records that contain VPN tunnel connection policies, including the attributes that pertain to creating the tunnel itself. Connection profiles identify the group policies for a specific connection, which includes user-oriented attributes. For more information, see Configuring Connection Profiles (ASA, PIX 7.0+).
-
Dynamic Access—Multiple variables can affect each VPN connection, for example, intranet configurations that frequently change, the various roles that each user might inhabit within an organization, and logins from remote access sites with different configurations and levels of security. Dynamic access policies (DAP) let you configure authorization that addresses these many variables. You create a dynamic access policy by setting a collection of access control attributes that you associate with a specific user tunnel or session. For more information, see Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices).
-
Note |
For multi-context ASA devices, the Dynamic Access policy is supported by Security Manager version 4.12 and ASA version 9.6(2) onwards only. |
-
-
Global Settings—You can define global settings that apply to all devices in your remote access VPNs. These settings include Internet Key Exchange (IKE), IKEv2, IPsec, NAT, and fragmentation definitions. The global settings typically have defaults that work in most situations, so configuring the Global Settings policy is optional in most cases; configure it only if you need non-default behavior or if you are supporting IKEv2 negotiations. For more information, see Configuring VPN Global Settings.
-
Group Policies—You can view the user group policies defined for your remote access VPN connection profiles. From this page, you can specify new ASA user groups and edit existing ones. When you create a connection profile, if you specify a group policy that has not been used on the device, the group policy is automatically added to the Group Policies page; you do not need to add it to this policy before you create the connection profile. For more information, see Configuring Group Policies for Remote Access VPNs.
-
Public Key Infrastructure—You can create a Public Key Infrastructure (PKI) policy to generate enrollment requests for CA certificates and RSA keys, and to manage keys and certificates. Certification Authority (CA) servers are used to manage these certificate requests and issue certificates to users who connect to your IPsec or SSL remote access VPN. For more information, see Understanding Public Key Infrastructure Policies and Configuring Public Key Infrastructure Policies for Remote Access VPNs.
-
Note |
For multi-context ASA devices, the Public Key Infrastructure policy is supported by Security Manager version 4.12 and ASA version 9.6(2) onwards only. |
-
-
Username from Cert Scripts—You can use this policy to define a script to use in mapping the username from the certificate. For more information, see Add/Edit Scripts Dialog Box.
-
Note |
For multi-context ASA devices, the Username from Cert Scripts policy is supported by Security Manager version 4.12 and ASA version 9.6(2) onwards only. |
-
Policies used in remote access IPsec VPNs only:
-
Certificate To Connection Profile Maps, Policy and Rules (IKEv1 IPSec only.)—Certificate to connection profile map policies let you define rules to match a user’s certificate to a permission group based on specified fields. To establish authentication, you can use any field of the certificate, or you can have all certificate users share a permission group. You can match the group from the DN rules, the Organization Unit (OU) field, the IKE identity, or the peer IP address. You can use any or all of these methods. For more information, see Configuring Certificate to Connection Profile Map Policies (ASA).
-
IKE Proposal—Internet Key Exchange (IKE), also called ISAKMP, is the negotiation protocol that enables two hosts to agree on how to build an IPsec security association. IKE is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and to automatically establish IPsec security associations (SAs). Use the IKE Proposal policy to define the requirements for phase 1 of the IKE negotiation. For more information, see Configuring an IKE Proposal.
-
IPsec Proposal (ASA/PIX 7.x)—An IPsec proposal is a collection of one or more crypto maps. A crypto map combines all the components required to set up IPsec security associations (SAs), including IPsec rules, transform sets, remote peers, and other parameters that might be necessary to define an IPsec SA. The policy is used for IKE phase 2 negotiations. For more information, see Configuring an IPsec Proposal on a Remote Access VPN Server (ASA, PIX 7.0+ Devices).
-
-
Policies used in remote access IKEv2 IPSec and SSL VPNs only:
-
Access—An Access policy specifies the security appliance interfaces on which a remote access SSL or IKEv2 IPsec VPN connection profile can be enabled, the port to be used for the connection profile, Datagram Transport Layer Security (DTLS) settings, the SSL VPN session timeout and maximum number of sessions. You can also specify whether to use the AnyConnect VPN Client or AnyConnect Essentials Client. For more information, see Understanding SSL VPN Access Policies (ASA).
-
Other Settings—The SSL VPN Other Settings policy defines settings that include caching, content rewriting, character encoding, proxy and proxy bypass definitions, browser plug-ins, AnyConnect client images and profiles, Kerberos Constrained Delegation, and some other advanced settings. For more information, see Configuring Other SSL VPN Settings (ASA).
-
Shared License—Use the SSL VPN Shared License page to configure your SSL VPN Shared License. For more information, see Configuring SSL VPN Shared Licenses (ASA 8.2+).
-
The following table explains whether a policy is required or optional for a particular type of VPN.
Policy |
Required, Optional |
---|---|
ASA Cluster Load Balancing |
Optional for all VPN types. |
Dynamic Access |
Optional for all VPN types. |
Dynamic Access |
Optional for all VPN types. |
Global Settings |
Required: IKEv2 IPsec. Optional: IKEv1 IPsec, SSL. |
Group Policies |
Required for all VPN types. |
Public Key Infrastructure |
Required: IKEv2 IPsec. Also required if you configure any trustpoints for IKEv1 IPsec or SSL VPNs. Otherwise, it is optional. |
Certificate To Connection Profile Maps, Policy and Rules |
Optional: IKEv1 IPsec. Not used in: IKEv2 IPsec, SSL. |
IKE Proposal |
Required: IKEv1 IPsec, IKEv2 IPsec. Not used in: SSL. |
IPsec Proposal (ASA/PIX 7.x) |
Required: IKEv1 IPsec, IKEv2 IPsec. Not used in: SSL. |
Access |
Required: IKEv2 IPsec, SSL. Not used in: IKEv1 IPsec. |
Other Settings |
Required: IKEv2 IPsec, SSL. Not used in: IKEv1 IPsec. |
Shared License |
Optional: IKEv2 IPsec, SSL. Not used in: IKEv1 IPsec. |