Docstoc

_asa_vpn_cliIX

Document Sample
_asa_vpn_cliIX Powered By Docstoc
					                                                                                       INDEX



                                                                                         remote management                8-9
A
                                                                                         split tunneling          8-8
AAA                                                                                      TCP     8-4
    addressing, configuring         5-5                                                  trustpoint       8-7
Access Control Server        7-4, 7-13                                                   tunnel group           8-7
access hours, username attribute          4-92                                           tunneling       8-5
accessing the security appliance using SSL                11-7                           Xauth     8-4
accessing the security appliance using TKS1                 11-7                    server (headend)            8-1
access list filter, username attribute       4-93                               attributes
access lists                                                                        RADIUS        14-27
    exemptions from posture validation              7-11                            username      4-91
    group policy WebVPN filter            4-86                                  attribute-value pairs
    IPsec      1-29                                                                 TACACS+          14-38
    Network Admission Control, default               7-10                       attribute-value pairs (AVP)              4-36, 4-39
    username for Clientless SSL VPN                4-99                         authentication
Active Directory, settings for password management                       4-28       ASA 5505 as Easy VPN client                      8-12
Active Directory procedures         14-16 to ??                                     WebVPN users with digital certificates                     11-32, 11-33
Advanced Encryption Standard (AES)                1-10                          auto-signon
Application Access Panel, WebVPN                 11-84                              group policy attribute for Clientless SSL VPN                      4-85
application access using Clientless SSL VPN                                         username attribute for Clientless SSL VPN                      4-102
    group policy attribute for Clientless SSL VPN                   4-87
    username attribute for Clientless SSL VPN                    4-101
application access using WebVPN
                                                                                B
    and hosts file errors      11-71                                            backup server attributes, group policy                  4-70
    quitting properly       11-72                                               banner message, group policy                  4-44
Application Profile Customization Framework                     11-11           before configuring KCD                11-47
ASA 5505                                                                        Black Ice firewall       4-79
    client                                                                      bypass authentication           8-8
         authentication      8-12
         configuration restrictions, table          8-2
         device pass-through        8-8                                         C
         group policy attributes pushed to               8-10                   cached Kerberos tickets
         mode         8-3                                                           clearing     11-51


                                                                                         Cisco ASA Series VPN CLI Configuration Guide
                                                                                                                                                     IN-1
    Index




    showing           11-49                                                                 entries     1-19
caching       11-80                                                                         examples          1-30
cascading access lists               1-23                                                   policy      1-21
certificate                                                                             crypto show commands table                  1-37
    authentication, e-mail proxy                         11-78                          custom firewall         4-79
    group matching                                                                      customization, Clientless SSL VPN
            configuring             1-16, 1-17                                              group policy attribute             4-83
            rule and policy, creating                     1-17                              login windows for users                4-27
Cisco-AV-Pair LDAP attributes                            14-13                              username attribute              4-98
Cisco Integrated Firewall                   4-79                                            username attribute for Clientless SSL VPN                         4-24
Cisco Security Agent                 4-79
Cisco Trust Agent             7-13
                                                                                        D
clearing cached Kerberos tickets                         11-51
client                                                                                  default
    VPN 3002 hardware, forcing client update                               3-4              DefaultL2Lgroup             4-1
    Windows, client update notification                           3-4                       DefaultRAgroup             4-1
client access rules, group policy                        4-80                               domain name, group policy                    4-57
client firewall, group policy                     4-75                                      group policy          4-1, 4-8, 4-36, 4-39
clientless authentication                  7-13                                             LAN-to-LAN tunnel group                      4-17
Clientless SSL VPN                                                                          remote access tunnel group, configuring                     4-7
    configuring for specific users                        4-96                              tunnel group          1-18, 4-2
client mode       8-3                                                                   deny in a crypto map           1-23
client update, performing                   3-4                                         deny-message
cluster                                                                                     group policy attribute for Clientless SSL VPN                        4-84
    IP address, load balancing                      3-7                                     username attribute for Clientless SSL VPN                         4-99
    load balancing configurations                          3-10                         DES, IKE policy keywords (table)                    1-9, 1-10
    mixed scenarios                 3-11                                                device pass-through, ASA 5505 as Easy VPN client                             8-8
    virtual      3-7                                                                    DfltGrpPolicy          4-37, 4-40
connect time, maximum, username attribute                               4-93            DHCP
content transformation, WebVPN                            11-81                             addressing, configuring                5-6
CRACK protocol                1-39                                                      DHCP Intercept, configuring                 4-58
crypto map                                                                              Diffie-Hellman
    acccess lists            1-29                                                           Group 5       1-9, 1-11
    applying to interfaces                   1-29, 10-11                                    groups supported           1-9, 1-11
    clearing configurations                   1-38                                      digital certificates
    creating an entry to use the dynamic crypto map                              6-13       authenticating WebVPN users                     11-32, 11-33
    definition         1-19                                                                 SSL       11-11
    dynamic           1-35                                                              directory hierarchy search             14-3
    dynamic, creating                 6-12                                              disabling content rewrite             11-82

                 Cisco ASA Series VPN CLI Configuration Guide
  IN-2
                                                                                                                                             Index




DNS
                                                                     F
    server, configuring          4-54
domain attributes, group policy                4-57                  failover
dynamic crypto map           1-35                                        Trusted Flow Acceleration                     2-8
    creating     6-12                                                filter (access list)
    See also crypto map                                                  group policy attribute for Clientless SSL VPN                          4-86
                                                                         username attribute for Clientless SSL VPN                           4-99
                                                                     firewall
E                                                                        Black Ice        4-79

Easy VPN                                                                 Cisco Integrated           4-79

    client                                                               Cisco Security Agent                  4-79

         authentication         8-12                                     custom       4-79

         configuration restrictions, table                8-2            Network Ice         4-79

         enabling and disabling            8-1                           none      4-79

         group policy attributes pushed to                    8-10       Sygate personal            4-79

         mode      8-3                                                   Zone Labs          4-79

         remote management               8-9                         firewall policy, group policy                4-75

         trustpoint      8-7                                         fragmentation policy, IPsec                 1-15

         tunnels       8-9
         Xauth     8-4
                                                                     G
    server (headend)           8-1
Easy VPN client                                                      general attributes, tunnel group                   4-3
    ASA 5505                                                         general parameters, tunnel group                    4-3
         device pass-through            8-8                          general tunnel-group connection parameters                        4-3
         split tunneling         8-8                                 global e-mail proxy attributes                   11-78
         TCP     8-4                                                 global IPsec SA lifetimes, changing                       1-31
         tunnel group          8-7                                   group-lock, username attribute                    4-95
         tunneling       8-5                                         group policy
egress VLAN for VPN sessions                   4-47                      address pools           4-44
e-mail                                                                   backup server attributes                4-70
    configuring for WebVPN                11-77                          client access rules            4-80
    proxies, WebVPN             11-78                                    configuring         4-42
    proxy, certificate authentication                 11-78              default domain name for tunneled packets                        4-57
    WebVPN, configuring                11-77                             definition       4-1, 4-36, 4-39
end-user interface, WebVPN, defining                     11-83           domain attributes              4-57
external group policy, configuring                4-42                   Easy VPN client, attributes pushed to ASA 5505                              8-10
                                                                         external, configuring             4-42
                                                                         firewall policy           4-75
                                                                         hardware client user idle timeout                      4-68

                                                                                Cisco ASA Series VPN CLI Configuration Guide
                                                                                                                                              IN-3
     Index




     internal, configuring              4-43                                          reconfiguring    11-72
     IP phone bypass             4-69                                                 WebVPN      11-71
     IPSec over UDP attributes                   4-66                           html-content-filter
     LEAP Bypass              4-69                                                    group policy attribute for Clientless SSL VPN                   4-84
     network extension mode                    4-70                                   username attribute for Clientless SSL VPN                    4-97
     security attributes             4-65                                       HTTP compression, Clientless SSL VPN, enabling                        4-89,
                                                                                4-103
     split tunneling attributes                4-55
                                                                                HTTP redirection for login, Easy VPN client on the ASA
     split-tunneling domains                 4-58
                                                                                5505 8-12
     user authentication              4-68
                                                                                HTTPS for WebVPN sessions              11-7, 11-8
     VPN hardware client attributes                     4-67
                                                                                hub-and-spoke VPN scenario            1-27
     webvpn attributes               4-82
     WINS and DNS servers                    4-54
group policy, default            4-36, 4-39                                     I
group policy, secure unit authentication                       4-67
                                                                                idle timeout
group policy attributes for Clientless SSL VPN
                                                                                      hardware client user, group policy             4-68
     application access              4-87
                                                                                      username attribute       4-93
     auto-signon          4-85
                                                                                ID method for ISAKMP peers, determining                     1-13
     customization            4-83
                                                                                IKE
     deny-message             4-84
                                                                                      benefits   1-2, 10-3
     filter     4-86
                                                                                      creating policies      1-11
     home page           4-85
                                                                                      keepalive setting, tunnel group          4-4
     html-content filter             4-84
                                                                                      pre-shared key, Easy VPN client on the ASA
     keep-alive-ignore               4-88                                             5505 8-7
     port forward         4-87                                                        See also ISAKMP
     port-forward-name                4-88                                      IKEv1     1-19
     sso-server        4-89                                                     Individual user authentication         8-12
     url-list     4-86                                                          inheritance
                                                                                      tunnel group    4-1
                                                                                      username attribute       4-92
H
                                                                                intercept DHCP, configuring           4-58
hairpinning       1-27                                                          interfaces
hardware client, group policy attributes                       4-67                   configuring for remote access           6-7
HMAC hashing method                    1-2, 10-4                                internal group policy, configuring            4-43
hold-period       7-17                                                          Internet Security Association and Key Management
homepage                                                                        Protocol

     group policy attribute for Clientless SSL VPN                       4-85         See ISAKMP

     username attribute for Clientless SSL VPN                        4-98      IP addresses

hosts file                                                                            configuring an assignment method for remote access
                                                                                      clients 5-1
     errors      11-71

                 Cisco ASA Series VPN CLI Configuration Guide
    IN-4
                                                                                                                                                         Index




    configuring for VPNs             5-1
                                                                                     K
    configuring local IP address pools                     5-3
IP phone     8-8                                                                     KCD     11-44, 11-45
IP phone bypass, group policy                 4-69                                       before configuring            11-47
IPSec                                                                                KCD status
    modes      2-2                                                                       showing      11-49
    over UDP, group policy, configuring attributes                            4-66   keep-alive-ignore
    remote-access tunnel group                 4-8                                       group policy attribute for Clientless SSL VPN                       4-88
    setting maximum active VPN sessions                          3-3                     username attribute for Clientless SSL VPN                       4-102
IPsec                                                                                Kerberos tickets
    access list      1-29                                                                clearing     11-51
    basic configuration with static crypto maps                        1-32              showing      11-49
    Cisco VPN Client           1-2
    configuring       1-1, 1-18
                                                                                     L
    crypto map entries          1-19
    fragmentation policy             1-15                                            L2TP description         2-1
    over NAT-T, enabling               1-14                                          LAN-to-LAN tunnel group, configuring                         4-17
    over TCP, enabling            1-15                                               Layer 2 Tunneling Protocol                2-1
    SA lifetimes, changing             1-31                                          LDAP
    tunnel    1-19                                                                       Cisco-AV-pair          14-13
    view configuration commands table                        1-37                        configuring a AAA server                    14-2 to ??
IPSec parameters, tunnel group                 4-4                                       directory search           14-3
ipsec-ra, creating an IPSec remote-access tunnel                       4-8               example configuration procedures                     14-16 to ??
ISAKMP                                                                                   hierarchy example            14-3
    about     1-2                                                                    LEAP Bypass, group policy                 4-69
    configuring       1-1                                                            load balancing
    determining an ID method for peers                       1-13                        cluster configurations             3-10
    disabling in aggressive mode                 1-13                                    concepts     3-7
    enabling on the outside interface                  6-8                               eligible clients       3-9
    keepalive setting, tunnel group                  4-4                                 eligible platforms           3-9
    See also IKE                                                                         implementing          3-9
                                                                                         mixed cluster scenarios               3-11
                                                                                         platforms      3-9
J
                                                                                         prerequisites        3-9
Java object signing         11-81                                                    login
                                                                                         simultaneous, username attribute                    4-92
                                                                                         windows, customizing for users of Clientless SSL
                                                                                         VPN sessions 4-27



                                                                                             Cisco ASA Series VPN CLI Configuration Guide
                                                                                                                                                            IN-5
     Index




M                                                                       O

MAC addresses                                                           operating systems, posture validation exemptions                7-11
     ASA 5505 device pass-through                 8-8
matching, certificate group          1-16, 1-17
                                                                        P
maximum active IPSec VPN sessions, setting                        3-3
maximum connect time,username attribute                        4-93     password management, Active Directory settings                 4-28
maximum object size to ignore username attribute for                    passwords
Clientless SSL VPN 4-102
                                                                            username, setting         4-91
MD5, IKE policy keywords (table)               1-9, 1-10
                                                                            WebVPN       11-105
Microsoft Active Directory, settings for password
                                                                        password-storage, username attribute                 4-96
management 4-28
                                                                        PAT
Microsoft Internet Explorer client parameters,
configuring 4-60                                                            Easy VPN client mode              8-3
Microsoft KCD       11-44, 11-45                                        PDA support for WebVPN                11-77
mixed cluster scenarios, load balancing                  3-11           peers
MSIE client parameters, configuring                4-60                     alerting before disconnecting             1-16
MTU size, Easy VPN client, ASA 5505                      8-5                ISAKMP, determining ID method                     1-13
                                                                        performance, optimizing for WebVPN                    11-80
                                                                        permit in a crypto map         1-23
N
                                                                        port-forward
NAC                                                                         group policy attribute for Clientless SSL VPN                4-87
     See Network Admission Control                                          username attribute for Clientless SSL VPN                 4-101
NAT-T                                                                   port-forward-name
     enabling IPsec over NAT-T             1-14                             group policy attribute for Clientless SSL VPN                4-88
     using   1-15                                                           username attribute for Clientless SSL VPN                 4-101

Network Admission Control                                               posture validation
     ACL, default     7-10                                                  exemptions       7-11

     clientless authentication          7-13                                revalidation timer        7-10

     configuring    4-71                                                    uses, requirements, and limitations                7-1

     exemptions     7-11                                                PPPoE, configuring          9-1 to 9-5

     revalidation timer       7-10                                      pre-shared key, Easy VPN client on the ASA 5505                  8-7

     uses, requirements, and limitations                7-1             printers   8-8

network extension mode            8-3                                   privilege level, username, setting            4-91

network extension mode, group policy                    4-70            proxy
Network Ice firewall       4-79                                             See e-mail proxy
Nokia VPN Client       1-39                                             proxy bypass     11-82




              Cisco ASA Series VPN CLI Configuration Guide
    IN-6
                                                                                                                                                         Index




                                                                                  split tunneling
R
                                                                                        ASA 5505 as Easy VPN client                     8-8
RADIUS                                                                                  group policy       4-55
    attributes     14-27                                                                group policy, domains             4-58
    Cisco AV pair          14-13                                                  SSL
    configuring a AAA server                14-27                                       certificate     11-11
reboot, waiting until active sessions end                   1-16                        used to access the security appliance                 11-7
redundancy, in site-to-site VPNs, using crypto maps                        1-37   SSL/TLS encryption protocols
remote access                                                                           configuring       11-11
    IPSec tunnel group, configuring                   4-8                         SSL VPN Client
    restricting     4-95                                                                compression        12-18
    tunnel group, configuring default                  4-7                              DPD     12-16
    VPN, configuring          6-1, 6-15                                                 enabling
remote management, ASA 5505                   8-9                                           permanent installation               12-8
revalidation timer, Network Admission Control                      7-10                 installing
rewrite, disabling       11-82                                                              order       12-7
                                                                                        keepalive messages          12-17
                                                                                        viewing sessions          12-20
S
                                                                                  sso-server
SAs, lifetimes      1-31                                                                group policy attribute for Clientless SSL VPN                       4-89
secure unit authentication           8-12                                               username attribute for Clientless SSL VPN                        4-103
secure unit authentication, group policy                    4-67                  SSO with WebVPN               11-16 to ??
security, WebVPN           11-16                                                        configuring HTTP Basic and NTLM
                                                                                        authentication 11-17
Security Agent, Cisco         4-79
                                                                                        configuring HTTP form protocol                    11-24
security association
                                                                                        configuring SiteMinder             11-18, 11-21
    clearing      1-38
                                                                                  Sun Microsystems Java™ Runtime Environment (JRE)
    See also SAs
                                                                                  and WebVPN 11-65
security attributes, group policy             4-65
                                                                                  SVC
SHA, IKE policy keywords (table)                    1-9, 1-10
                                                                                        See SSL VPN Client
showing cached Kerberos tickets                11-49
                                                                                  Sygate Personal Firewall            4-79
showing KCD status           11-49
simultaneous logins, username attribute                     4-92
single sign-on                                                                    T
    See SSO
                                                                                  TCP
single-signon
                                                                                        ASA 5505 as Easy VPN client                     8-4
    group policy attribute for Clientless SSL VPN                     4-89
                                                                                  TLS1, used to access the security appliance                     11-7
    username attribute for Clientless SSL VPN                      4-103
                                                                                  toolbar, floating, WebVPN               11-85
site-to-site VPNs, redundancy               1-37
                                                                                  transform set
smart tunnels      11-51

                                                                                            Cisco ASA Series VPN CLI Configuration Guide
                                                                                                                                                          IN-7
     Index




     creating     6-1, 6-10                                                              user authentication, group policy                    4-68
     definition        1-19                                                              username
Trusted Flow Acceleration                                                                    clientless authentication                 7-14
     failover     2-8                                                                        management tunnels                 8-9
     modes       2-8                                                                         WebVPN         11-105
trustpoint, ASA 5505 client                 8-7                                              Xauth for Easy VPN client                   8-4
tunnel                                                                                   username attributes
     ASA 5505 as Easy VPN client                         8-5                                 access hours         4-92
     IPsec      1-19                                                                         configuring         4-90, 4-91
     security appliance as a tunnel endpoint                          1-2                    group-lock      4-95
tunnel group                                                                                 inheritance     4-92
     ASA 5505 as Easy VPN client                         8-7                                 password, setting            4-91
     configuring         4-6                                                                 password-storage             4-96
     creating     4-8                                                                        privilege level, setting             4-91
     default     1-18, 4-1, 4-2                                                              simultaneous logins            4-92
     default, remote access, configuring                       4-7                           vpn-filter    4-93
     default LAN-to-LAN, configuring                           4-17                          vpn-framed-ip-address                4-94
     definition        4-1, 4-2                                                              vpn-idle timeout            4-93
     general parameters               4-3                                                    vpn-session-timeout                4-93
     inheritance        4-1                                                                  vpn-tunnel-protocol              4-95
     IPSec parameters                4-4                                                 username attributes for Clientless SSL VPN
     LAN-to-LAN, configuring                      4-17                                       auto-signon         4-102
     name and type             4-8                                                           customization         4-98
     remote access, configuring                   6-11                                       deny message          4-99
     remote-access, configuring                   4-8                                        filter (access list)         4-99
tunnel-group                                                                                 homepage       4-98
     general attributes              4-3                                                     html-content-filter           4-97
tunnel-group ISAKMP/IKE keepalive settings                                  4-4              keep-alive ignore            4-102
tunneling, about         1-1                                                                 port-forward         4-101
tunnel mode       2-2                                                                        port-forward-name             4-101
                                                                                             sso-server     4-103
                                                                                             url-list    4-100
U
                                                                                         username configuration, viewing                      4-90
url-list                                                                                 username webvpn mode               4-96
     group policy attribute for Clientless SSL VPN                                4-86   U-turn   1-27
     username attribute for Clientless SSL VPN                               4-100
user, VPN
                                                                                         V
     definition        4-1
user access, restricting remote               4-95                                       virtual cluster    3-7

                 Cisco ASA Series VPN CLI Configuration Guide
    IN-8
                                                                                                                                                Index




    IP address         3-7                                                             PDA support      11-77
    master       3-7                                                                   security preautions       11-16
VLAN mapping             4-47                                                          security tips   11-105
VPN                                                                                    setting HTTP/HTTPS proxy                  11-8
    address pool, configuring (group-policy)                              4-44         supported applications           11-105
    parameters, general, setting                    3-1                                troubleshooting     11-71
    setting maximum number of IPSec sessions                                 3-3       use of HTTPS       11-7
VPN Client, IPsec attributes                  1-2                                      usernames and passwords             11-105
vpn-filter username attribute                 4-93                                     use suggestions     11-83, 11-105
vpn-framed-ip-address username attribute                            4-94           WebVPN, Application Access Panel                     11-84
VPN hardware client, group policy attributes                              4-67     webvpn attributes
vpn-idle-timeout username attribute                        4-93                        group policy     4-82
vpn load balancing                                                                 welcome message, group policy               4-44
    See load balancing             3-7                                             WINS server, configuring         4-54
vpn-session-timeout username attribute                        4-93
vpn-tunnel-protocol username attribute                        4-95
                                                                                   X

                                                                                   Xauth, Easy VPN client         8-4
W

web e-Mail (Outlook Web Access), Outlook Web
Access 11-79                                                                       Z
WebVPN
                                                                                   Zone Labs firewalls     4-79
    authenticating with digital certificates                        11-32, 11-33
                                                                                   Zone Labs Integrity Server           4-76
    client application requirements                       11-105
    client requirements               11-105
    configuring
        e-mail          11-77
    configuring WebVPN and ASDM on the same
    interface 11-8
    defining the end-user interface                       11-83
    definition         11-2
    e-mail   11-77
    e-mail proxies            11-78
    end user set-up           11-83
    floating toolbar            11-85
    group policy attributes, configuring                          11-37
    hosts file     11-71
    hosts files, reconfiguring                 11-72
    Java object signing               11-81


                                                                                           Cisco ASA Series VPN CLI Configuration Guide
                                                                                                                                                 IN-9
 Index




         Cisco ASA Series VPN CLI Configuration Guide
IN-10

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:14
posted:3/23/2013
language:Latin
pages:10