Transcription
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000800 553-NETS (6387)Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.comgo trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and anyother company. (1721R) 2018Cisco Systems, Inc. All rights reserved.
CONTENTSPREFACEAbout This Guide xixDocument Objectives xixRelated Documentation xixDocument Conventions xixObtaining Documentation and Submitting a Service Request xxiPART ISite-to-Site and Client VPN 23CHAPTER 1IPsec and ISAKMP 1About Tunneling, IPsec, and ISAKMP 1IPsec Overview 2ISAKMP and IKE Overview 2Licensing for IPsec VPNs 3Guidelines for IPsec VPNs 4Configure ISAKMP 5Configure IKEv1 and IKEv2 Policies 5IKE Policy Keywords and Values 6Enable IKE on the Outside Interface 10Disable IKEv1 Aggressive Mode 10Configure an ID Method for IKEv1 and IKEv2 ISAKMP Peers 11INVALID SELECTORS Notification 12Configure IKEv2 Pre-shared Key in Hex 12Enable or Disable Sending of IKE Notification 12Configure IKEv2 Fragmentation Options 12AAA Authentication With Authorization 14Enable IPsec over NAT-T 14CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8iii
ContentsEnable IPsec with IKEv1 over TCP 16Configure Certificate Group Matching for IKEv1 16Configure IPsec 18Define Crypto Maps 18Example of LAN-to-LAN Crypto Maps 21Set Public Key Infrastructure (PKI) Keys 27Apply Crypto Maps to Interfaces 28Use Interface ACLs 28Change IPsec SA Lifetimes 30Change VPN Routing 31Create Static Crypto Maps 31Create Dynamic Crypto Maps 36Provide Site-to-Site Redundancy 38Managing IPsec VPNs 39Viewing an IPsec Configuration 39Wait for Active Sessions to Terminate Before Rebooting 39Alert Peers Before Disconnecting 40Clear Security Associations 40Clear Crypto Map Configurations 41CHAPTER 2L2TP over IPsec 43About L2TP over IPsec/IKEv1 VPN 43IPsec Transport and Tunnel Modes 44Licensing Requirements for L2TP over IPsec 45Prerequisites for Configuring L2TP over IPsec 46Guidelines and Limitations 46Configuring L2TP over IPsec with CLI 48Creating IKE Policies to Respond to Windows 7 Proposals 51Configuration Example for L2TP over IPsec 52Feature History for L2TP over IPsec 53CHAPTER 3High Availability Options 55High Availability Options 55Load Balancing 55CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8iv
ContentsFailover 55Load Balancing 56About Load Balancing 56VPN Load-Balancing Algorithm 56VPN Load-Balancing Cluster Configurations 57Frequently Asked Questions About Load Balancing 58Licensing for Load Balancing 59Guidelines and Limitations for VPN Load Balancing 60Configuring Load Balancing 61Prerequisites for Load Balancing 61Configure the Public and Private Interfaces for Load Balancing 62Configure the Load Balancing Cluster Attributes 63Configuration Examples for VPN Load Balancing 65Viewing Load Balancing 66CHAPTER 4General VPN Parameters 67Guidelines and Limitations 67Configure IPsec to Bypass ACLs 68Permitting Intra-Interface Traffic (Hairpinning) 68NAT Considerations for Intra-Interface Traffic 69Setting Maximum Active IPsec or SSL VPN Sessions 70Use Client Update to Ensure Acceptable IPsec Client Revision Levels 70Implement NAT-Assigned IP to Public IP Connection 72Displaying VPN NAT Policies 73Configure VPN Session Limits 74Show License Resource Allocation 74Show License Resource Usage 75Limit VPN Sessions 75Using an Identify Certificate When Negotiating 75Configure the Pool of Cryptographic Cores 76Viewing Active VPN Sessions 77Viewing Active AnyConnect Sessions by IP Address Type 77Viewing Active Clientless SSL VPN Sessions by IP Address Type 78Viewing Active LAN to LAN VPN Sessions by IP Address Type 78CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8v
ContentsAbout ISE Policy Enforcement 79Configure RADIUS Server Groups for ISE Policy Enforcement 79Example Configurations for ISE Policy Enforcement 82Troubleshooting Policy Enforcement83Configure Advanced SSL Settings 83Persistent IPsec Tunneled Flows 88Configure Persistent IPsec Tunneled Flows Using CLI 89Troubleshooting Persistent IPsec Tunneled Flows 89Is the Persistent IPsec Tunneled Flows Feature Enabled? 89Locating Orphaned Flows 90CHAPTER 5Connection Profiles, Group Policies, and Users 93Overview of Connection Profiles, Group Policies, and Users 93Connection Profiles 94General Connection Profile Connection Parameters 95IPsec Tunnel-Group Connection Parameters 96Connection Profile Connection Parameters for SSL VPN Sessions 97Configure Connection Profiles 98Maximum Connection Profiles 99Default IPsec Remote Access Connection Profile Configuration 99IPsec Tunnel-Group General Attributes 100Configure Remote-Access Connection Profiles 100Specify a Name and Type for the Remote Access Connection Profile 101Configure Remote-Access Connection Profile General Attributes 101Configure Double Authentication 105Configure Remote-Access Connection Profile IPsec IKEv1 Attributes 107Configure IPsec Remote-Access Connection Profile PPP Attributes 109Configure LAN-to-LAN Connection Profiles 111Default LAN-to-LAN Connection Profile Configuration 111Specify a Name and Type for a LAN-to-LAN Connection Profile 111Configure LAN-to-LAN Connection Profile General Attributes 112Configure LAN-to-LAN IPsec IKEv1 Attributes 112Configure Connection Profiles for Clientless SSL VPN Sessions 115Configure General Tunnel-Group Attributes for Clientless SSL VPN Sessions 115CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8vi
ContentsConfigure Tunnel-Group Attributes for Clientless SSL VPN Sessions 118Customize Login Windows for Users of Clientless SSL VPN Sessions 123About Tunnel Groups for Standards-based IKEv2 Clients 124Standards-based IKEv2 Attribute Support 125DAP Support 125Tunnel Group Selection for Remote Access Clients 125Authentication Support for Standards-based IKEv2 Clients 126Add Multiple Certificate Authentication 127Configure the query-identity Option for Retrieval of EAP Identity 128Configure Microsoft Active Directory Settings for Password Management 130Use Active Directory to Force the User to Change Password at Next Logon 130Use Active Directory to Specify Maximum Password Age 130Use Active Directory to Enforce Minimum Password Length 131Use Active Directory to Enforce Password Complexity 131Configure the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client132Configure the Security Appliance to Support RADIUS/SDI Messages 132Group Policies 134Modify the Default Group Policy 134Configure Group Policies 137Configure an External Group Policy 137Create an Internal Group Policy 138Configure General Internal Group Policy Attributes 139Group Policy Name 139Configure the Group Policy Banner Message 139Specify Address Pools for Remote Access Connections 139Assign an IPv4 Address Pool to an Internal Group Policy 139Assign an IPv6 Address Pool to an Internal Group Policy 141Specify the Tunneling Protocol for the Group Policy 142Specify a VLAN for Remote Access or Apply a Unified Access Control Rule to the Group Policy142Specify VPN Access Hours for a Group Policy 145Specify Simultaneous VPN Logins for a Group Policy 145Restrict Access to a Specific Connection Profile 146CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8vii
ContentsSpecify the Maximum VPN Connection Time in a Group Policy 146Specify a VPN Session Idle Timeout for a Group Policy 147Configure WINS and DNS Servers for a Group Policy 149Set the Split-Tunneling Policy 150Specify a Network List for Split-Tunneling 151Configure Domain Attributes for Split Tunneling 152Configure DHCP Intercept for Windows XP and Split Tunneling 154Configure Browser Proxy Settings for use with Remote Access Clients 155Configure Security Attributes for IPsec (IKEv1) Clients 157Configure IPsec-UDP Attributes for IKEv1 Clients 159Configure Attributes for VPN Hardware Clients 160Configure Group Policy Attributes for AnyConnect Secure Mobility Client Connections 163Configure Backup Server Attributes 165Configure Network Admission Control Parameters 166Configure VPN Client Firewall Policies 170Configure AnyConnect Client Firewall Policies 171Use of a Zone Labs Integrity Server 172Set the Firewall Client Type to Zone Labs 174Set the Client Firewall Parameters 174Configure Client Access Rules 176Configure User Attributes 178View the Username Configuration 178Configure Attributes for Individual Users 179Set a User Password and Privilege Level 179Configure User Attributes 180Configure VPN User Attributes 180CHAPTER 6IP Addresses for VPNs 187Configure an IP Address Assignment Policy 187Configure IPv4 Address Assignments 188Configure IPv6 Address Assignments 188View Address Assignment Methods 188Configure Local IP Address Pools 189Configure Local IPv4 Address Pools 189CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8viii
ContentsConfigure Local IPv6 Address Pools 190Configure AAA Addressing 190Configure DHCP Addressing 191Configure DHCP Addressing 192CHAPTER 7Remote Access IPsec VPNs 195About Remote Access IPsec VPNs 195About Mobike and Remote Access VPNs 196Licensing Requirements for Remote Access IPsec VPNs for 3.1197Restrictions for IPsec VPN 198Configure Remote Access IPsec VPNs 198Configure Interfaces 198Configure ISAKMP Policy and Enabling ISAKMP on the Outside Interface 199Configure an Address Pool 200Add a User 200Create an IKEv1 Transform Set or IKEv2 Proposal 201Define a Tunnel Group 202Create a Dynamic Crypto Map 203Create a Crypto Map Entry to Use the Dynamic Crypto Map 204Configuring IPSec IKEv2 Remote Access VPN in Multi-Context Mode 204Configuration Examples for Remote Access IPsec VPNs 205Configuration Examples for Standards-Based IPSec IKEv2 Remote Access VPN in Multiple-ContextMode 206Configuration Examples for AnyConnect IPSec IKEv2 Remote Access VPN in Multiple-ContextMode 207Feature History for Remote Access VPNs 208CHAPTER 8LAN-to-LAN IPsec VPNs 211Summary of the Configuration 211Configure Site-to-Site VPN in Multi-Context Mode 212Configure Interfaces 213Configure ISAKMP Policy and Enable ISAKMP on the Outside Interface 214Configure ISAKMP Policies for IKEv1 Connections 214Configure ISAKMP Policies for IKEv2 Connections 216CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8ix
ContentsCreate an IKEv1 Transform Set 216Create an IKEv2 Proposal 217Configure an ACL 218Define a Tunnel Group 219Create a Crypto Map and Applying It To an Interface 220Apply Crypto Maps to Interfaces 222CHAPTER 9AnyConnect VPN Client Connections 223About the AnyConnect VPN Client 223Licensing Requirements for AnyConnect 224Configure AnyConnect Connections 226Configure the ASA to Web-Deploy the Client 226Enable Permanent Client Installation 228Configure DTLS 228Prompt Remote Users 229Enable AnyConnect Client Profile Downloads 230Enable AnyConnect Client Deferred Upgrade 232Enable DSCP Preservation 234Enable Additional AnyConnect Client Features 234Enable Start Before Logon 234Translating Languages for AnyConnect User Messages 235Understand Language Translation 235Create Translation Tables 236Remove Translation Tables 237Configuring Advanced AnyConnect SSL Features 238Enable Rekey 238Configure Dead Peer Detection 239Enable Keepalive 240Use Compression 241Adjust MTU Size 242Update AnyConnect Client Images 242Enable IPv6 VPN Access 242Monitor AnyConnect Connections 243Log Off AnyConnect VPN Sessions 244CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8x
ContentsFeature History for AnyConnect Connections 245CHAPTER 10AnyConnect HostScan 247Prerequisites for HostScan 247Licensing for Host Scan 248HostScan Packaging 248Install or Upgrade HostScan 248Enable or Disable HostScan 249View the HostScan Version Enabled on the ASA 250Uninstall HostScan 250Assign AnyConnect Feature Modules to Group Policies 251HostScan Related Documentation 252CHAPTER 11Easy VPN 253About Easy VPN 253Configure Easy VPN Remote 256Configure Easy VPN Server 259Feature History for Easy VPN 260CHAPTER 12Virtual Tunnel Interface 261About Virtual Tunnel Interfaces 261Guidelines for Virtual Tunnel Interfaces 261Create a VTI Tunnel 262Add an IPsec Proposal (Transform Sets) 263Add an IPsec Profile 264Add a VTI Interface 265CHAPTER 13Configure an External AAA Server for VPN 269About External AAA Servers 269Understanding Policy Enforcement of Authorization Attributes 269Guidelines For Using External AAA Servers 270Configure Multiple Certificate Authentication 270Configure LDAP Authorization for VPN 271Active Directory/LDAP VPN Remote Access Authorization Examples 272CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xi
ContentsPolicy Enforcement of User-Based Attributes 273Place LDAP Users in a Specific Group Policy 274Enforce Static IP Address Assignment for AnyConnect Tunnels 276Enforce Dial-in Allow or Deny Access 278Enforce Logon Hours and Time-of-Day Rules 280PART IIClientless SSL VPN 283CHAPTER 14Clientless SSL VPN Overview 285Introduction to Clientless SSL VPN 285Prerequisites for Clientless SSL VPN 286Guidelines and Limitations for Clientless SSL VPN 286Licensing for Clientless SSL VPN 287CHAPTER 15Basic Clientless SSL VPN Configuration 289Rewrite Each URL 289Switch Off URL Entry on the Portal Page 290Trusted Certificate Pools 290Configure Auto Import of Trustpool Certificates 291Show the State of the Trustpool Policy 291Clear CA Trustpool 291Edit the Policy of the Trusted Certificate Pool 292Configure Browser Access to Plug-ins 292Prerequisites with Plug-Ins 293Restrictions with Plug-Ins 293Prepare the Security Appliance for a Plug-in 294Install Plug-ins Redistributed by Cisco 294Provide Access to a Citrix XenApp Server 296Create and Install the Citrix Plug-in 297View the Plug-ins Installed on the Security Appliance 297Configure Port Forwarding 298Prerequisites for Port Forwarding 299Restrictions for Port Forwarding 299Configure DNS for Port Forwarding 300CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xii
ContentsMake Applications Eligible for Port Forwarding 301Assign a Port Forwarding List 301Automate Port Forwarding 302Enable and Switch off Port Forwarding 302Configure File Access 303CIFS File Access Requirement and Limitation 304Add Support for File Access 304Ensure Clock Accuracy for SharePoint Access 306Virtual Desktop Infrastructure (VDI) 306Limitations to VDI 306Citrix Mobile Support 306Supported Mobile Devices for Citrix 307Limitations of Citrix 307About Citrix Mobile Receiver User Logon 307Configure the ASA to Proxy a Citrix Server 308Assign a VDI Server to a Group Policy 308Use SSL to Access Internal Servers 309Configure Clientless SSL VPN and ASDM Ports 309Use HTTPS for Clientless SSL VPN Sessions 310Configure Support for Proxy Servers 311Configure SSL/TLS Encryption Protocols 313Authenticate with Digital Certificates 313Restrictions of Digital Certificates Authentication 313Configure Browser Access to Client-Server Plug-ins 314About Installing Browser Plug-ins 314Requirements for Installing Browser Plug-ins 315Set Up RDP Plug-in 315Prepare the Security Appliance for a Plug-in 316Configure the ASA to Use the New HTML File 316CHAPTER 16Advanced Clientless SSL VPN Configuration 319Microsoft Kerberos Constrained Delegation Solution 319How KCD Works 319Authentication Flow with KCD 320CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xiii
ContentsConfigure the ASA for Cross-Realm Authentication 322Configure KCD 323Show KCD Status Information 324Debug KCD 324Show Cached Kerberos Tickets 324Clear Cached Kerberos Tickets 325Requirements for Microsoft Kerberos 325Configure Application Profile Customization Framework 325Manage APCF Packets 326APCF Syntax 326Encoding 329View or Specify Character Encoding 329Use Email over Clientless SSL VPN 331Configure Web email: MS Outlook Web App 331CHAPTER 17Policy Groups 333Create and Apply Clientless SSL VPN Policies for Accessing Resources 333Connection Profile Attributes for Clientless SSL VPN 333Group Policy and User Attributes for Clientless SSL VPN 334Configure Group Policy Attributes for Clientless SSL VPN Sessions 336Specify a Deny Message 337Configure Group Policy Filter Attributes for Clientless SSL VPN Sessions 337Specify the User Home Page 338Configure Auto-Signon 339Specify the ACL for Clientless SSL VPN Sessions 339Apply a URL List 340Enable ActiveX Relay for a Group Policy 341Enable Application Access on Clientless SSL VPN Sessions for a Group Policy 341Configure the Port-Forwarding Display Name 342Configure the Maximum Object Size to Ignore for Updating the Session Timer 342Specify HTTP Compression 343Configure Clientless SSL VPN Access for Specific Users 343Specify the Content/Objects to Filter from the HTML 345Specify the User Home Page 345CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xiv
ContentsSpecify a Deny Message 346Apply a URL List 346Enable ActiveX Relay for a User 347Enable Application Access for Clientless SSL VPN Sessions 347Configure the Port-Forwarding Display Name 348Configure the Maximum Object Size to Ignore for Updating the Session Timer 348Configure Auto-Signon 349Specify HTTP Compression 349Smart Tunnel Access 350About Smart Tunnels 351Prerequisites for Smart Tunnels 351Guidelines for Smart Tunnels 352Add Applications to Be Eligible for Smart Tunnel Access 353About Smart Tunnel Lists 353Configure and Apply Smart Tunnel Policy 354Configure and Apply a Smart Tunnel Tunnel-Policy 355Create a Smart Tunnel Auto Sign-On Server List 356Add Servers to a Smart Tunnel Auto Sign-On Server List 357Automate Smart Tunnel Access 359Enable and Switch Off Smart Tunnel Access 360Configure Smart Tunnel Log Off 360Configure Smart Tunnel Log Off when Its Parent Process Terminates 361Configure Smart Tunnel Log Off with a Notification Icon 361Clientless SSL VPN Capture Tool 362Configure Portal Access Rules 362Optimize Clientless SSL VPN Performance 363Configure Caching 363Configure Content Transformation 363Configure a Certificate for Signing Rewritten Java Content 363Switch Off Content Rewrite 364Use Proxy Bypass 364CHAPTER 18Clientless SSL VPN Remote Users 367Clientless SSL VPN Remote Users 367CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xv
ContentsUsernames and Passwords 367Communicate Security Tips 368Configure Remote Systems to Use Clientless SSL VPN Features 368Capture Clientless SSL VPN Data 374Create a Capture File 374Use a Browser to Display Capture Data 375CHAPTER 19Clientless SSL VPN Users 377Manage Passwords 377Use Single Sign-On with Clientless SSL VPN 379SSO Using SAML 2.0379About SSO and SAML 2.0379Guidelines and Limitations for SAML 2.0380Configure a SAML 2.0 Identity Provider (IdP) 382Configure ASA as a SAML 2.0 Service Provider (SP) 384Example SAML 2.0 and Onelogin 384Troubleshooting SAML 2.0386Configure SSO with HTTP Basic or NTLM Authentication 386Configure SSO with the HTTP Form Protocol 387Gather HTTP Form Data 391Configure SSO for Plug-ins 393Configure SSO with Macro Substitution 394Username and Password Requirements 395Communicate Security Tips 396Configure Remote Systems to Use Clientless SSL VPN Features 396About Clientless SSL VPN 396Prerequisites for Clientless SSL VPN 397Use the Clientless SSL VPN Floating Toolbar 397Browse the Web 397Browse the Network (File Management) 398Use the Remote File Explorer 398Use Port Forwarding 399Use email Via Port Forwarding 400Use email Via Web Access 401CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xvi
ContentsUse email Via email Proxy 401Use Smart Tunnel 401CHAPTER 20Clientless SSL VPN with Mobile Devices 403Use Clientless SSL VPN with Mobile Devices 403Restrictions of Clientless SSL VPN with Mobile 403CHAPTER 21Customizing Clientless SSL VPN 405Clientless SSL VPN End User Setup 405Define the End User Interface 405View the Clientless SSL VPN Home Page 405View the Clientless SSL VPN Application Access Panel 405View the Floating Toolbar 406Customize Clientless SSL VPN Pages 406Information About Customization 406Export a Customization Template 407Edit the Customization Template 407Import a Customization Object 412Apply Customizations to Connection Profiles, Group Policies, and Users 413Login Screen Advanced Customization 414Modify Your HTML File 417Customize Bookmark Help 418Import a Help file to Flash Memory 419Export a Previously Imported Help File from Flash Memory 419Understand Language Translation 420Create Translation Tables 421Reference the Language in a Customization Object 422Change a Group Policy or User Attributes to Use the Customization Object 424CHAPTER 22Clientless SSL VPN Troubleshooting 425Recover from Hosts File Errors When Using Application Access 425Understanding the Hosts File 426Reconfigure a Host’s File Automatically Using Clientless SSL VPN 426Reconfigure Hosts File Manually 427CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xvii
ContentsWebVPN Conditional Debugging 428Capture Data 428Create a Capture File 429Use a Browser to Display Capture Data 429Protect Clientless SSL VPN Session Cookies 430CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xviii
About This GuideThe following topics explain how to use this guide. Document Objectives, on page xix Related Documentation, on page xix Document Conventions, on page xix Obtaining Documentation and Submitting a Service Request, on page xxiDocument ObjectivesThe purpose of this guide is to help you configure VPN on the Adaptive Security Appliance (ASA) using thecommand-line interface. This guide does not cover every feature, but describes only the most commonconfiguration scenarios.You can also configure and monitor the ASA by using Adaptive Security Device Manager (ASDM), aweb-based GUI application. ASDM includes configuration wizards to guide you through some commonconfiguration scenarios, and online help for less common scenarios.This guide applies to the Cisco ASA series. Throughout this guide, the term “ASA” applies generically tosupported models, unless specified otherwise.Related DocumentationFor more information, see Navigating the Cisco ASA Series Documentation at http://www.cisco.com/go/asadocs.Document ConventionsThis document adheres to the following text, display, and alert conventions.Text ConventionsConventionIndicationboldfaceCommands, keywords, button labels, field names, and user-entered text appearin boldface. For menu-based commands, the full path to the command is shown.CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xix
About This GuideAbout This GuideConventionIndicationitalicVariables, for which you supply values, are presented in an italic typeface.Italic type is also used for document titles, and for general emphasis.monospaceTerminal sessions and information that the system displays appear in monospacetype.{x y z}Required alternative keywords are grouped in braces and separated by verticalbars.[]Elements in square brackets are optional.[x y z]Optional alternative keywords are grouped in square brackets and separated byvertical bars.[]Default responses to system prompts are also in square brackets. Non-printing characters such as passwords are in angle brackets.!, #An exclamation point (!) or a number sign (#) at the beginning of a line of codeindicates a comment line.Reader AlertsThis document uses the following for reader alerts:NoteTipMeans reader take note. Notes contain helpful suggestions or references to material not covered in the manual.Means the following information will help you solve a problem.CautionMeans reader be careful. In this situation, you might do something that could result in equipment damage orloss of data.TimesaverMeans the described action saves time. You can save time by performing the action described in the paragraph.WarningMeans reader be warned. In this situation, you might perform an action that could result in bodily injury.CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xx
About This GuideObtaining Documentation and Submitting a Service RequestObtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a servicerequest, and gathering additional information, see What's New in Cisco Product Documentation.To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the . RSSfeeds are a free service.CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xxi
About This GuideObtaining Documentation and Submitting a Service RequestCLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8xxii
PA R TISite-to-Site and Client VPN IPsec and ISAKMP, on page 1 L2TP over IPsec, on page 43 High Availability Options, on page 55 General VPN Parameters, on page 67 Connection Profiles, Group Policies, and Users, on page 93 IP Addresses for VPNs, on page 187 Remote Access IPsec VPNs, on page 195 LAN-to-LAN IPsec VPNs, on page 211 AnyConnect VPN Client Connections, on page 223 AnyConnect HostScan, on page 247 Easy VPN, on page 253 Virtual Tunnel Interface, on page 261 Configure an External AAA Server for VPN, on page 269
CHAPTER1IPsec and ISAKMP About Tunneling, IPsec, and ISAKMP, on page 1 Licensing for IPsec VPNs, on page 3 Guidelines for IPsec VPNs, on page 4 Configure ISAKMP, on page 5 Configure IPsec, on page 18 Managing IPsec VPNs, on page 39About Tunneling, IPsec, and ISAKMPThis topic describes the Internet Protocol Security (IPsec) and the Internet Security Association and KeyManagement Protocol (ISAKMP) standards used to build Virtual Private Networks (VPNs).Tunneling makes it possible to use a public TCP/IP network, such as the Internet, to create secure connectionsbetween remote users and a private corporate network. Each secure connection is called a tunnel.The ASA uses the ISAKMP and IPsec tunneling standards to build and manage tunnels. ISAKMP and IPsecaccomplish the following: Negotiate tunnel parameters Establish tunnels Authenticate users and data Manage security keys Encrypt and decrypt data Manage data transfer across the tunnel Manage data transfer inbound and outbound as a tunnel endpoint or routerThe ASA functions as a bidirectional tunnel endpoint. It can receive plain packets from the private network,encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulatedand sent to their final destination. It can also receive encapsulated packets from the public network,unencapsulate them, and send them to their final destination on the private network.CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.81
Site-to-Site and Client VPNIPsec OverviewIPsec OverviewThe ASA uses IPsec for LAN-to-LAN VPN connections and provides the option of using IPsec forclient-to-LAN VPN connections. In IPsec terminology, a peer is a remote-access client or another securegateway. For both connection types, the ASA supports only Cisco peers. Because we adhere to VPN industrystandards, ASAs can work with other vendors' peers; however, we do not support them.During tunnel establishment, the two peers negotiate security associations that govern authentication, encryption,encapsulation, and key management. These negotiations involve two phases: first, to establish the tunnel (theIKE SA) and second, to govern traffic within the tunnel (the IPsec SA).A LAN-to-LAN VPN connects networks in different geographic locations. In IPsec LAN-to-LAN connections,the ASA can function as initiator or responder. In IPsec client-to-LAN connections, the ASA functions onlyas responder. Initiators propose SAs
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8 vii Contents. 6SHFLI\ WKH 0D[LPXP 931 &RQQHFWLRQ 7 LPH LQ D *URXS 3ROLF\ 146 6SHFLI\ D 931 6HVVLRQ ,GOH 7 LPHRXW IRU D *URXS 3ROLF\ 147 &RQILJXUH :,16 DQG '16 6HUYHUV IRU D *URXS 3ROLF\ 149 6HW WKH 6SOLW 7 XQQHOLQJ 3ROLF\ 150
