29-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 29 Managing Remote Access VPNs: The Basics
Understanding Devices Supported by Each Remote Access VPN Technology
• SSL VPN license information cannot be imported into Security Manager. As a result, certain
command parameters, such as vpn sessiondb and max-webvpn-session-limit, cannot be validated.
• You must configure DNS on each device in the topology in order to use clientless SSL VPN. Without
DNS, the device cannot retrieve named URLs, but only URLs with IP addresses.
• If you share your Connection Profiles policy among multiple ASA devices, bear in mind that all
devices share the same address pool unless you use device-level object overrides to replace the
global definition with a unique address pool for each device. Unique address pools are required to
avoid overlapping addresses in cases where the devices are not using NAT.
• If the device configuration contains an address pool for SSL VPN with a name that begins CSM_
(the naming convention used by Security Manager), Security Manager cannot detect whether the
addresses in that pool overlap with the pool configured in your SSL VPN policy. (This can occur,
for example, when the pool was configured by a user on a different installation of Security Manager.)
This can lead to errors during deployment. Therefore, we recommend that you configure the same
IP address pool as a network/host object in Security Manager and define it as part of the SSL VPN
policy. This enables the proper validation to take place.
• The same IP address and port number cannot be shared by multiple SSL VPN gateways on the same
IOS device. As a result, deployment errors can occur if a duplicate gateway exists in the device
configuration but was not redefined using the Security Manager interface. If such an error occurs,
you must choose a different IP address and port number and redeploy.
• If you define AAA authentication or accounting as part of an SSL VPN policy, the aaa new-model
command is deployed to enable AAA services. Bear in mind that this command is not removed if
you later delete the SSL VPN policy, as there might be other parts of the device configuration that
require the aaa new-model command for AAA services.
Note In addition, we recommend that you define at least one local user on the device with a
privilege level of 15. This ensures that you will not be locked out of the device if the aaa
new-model command is configured without an associated AAA server.
Related Topics
• SSL VPN Access Modes, page 29-4
• Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (ASA Devices),
page 29-14
• Creating SSL VPNs Using the Remote Access VPN Configuration Wizard (IOS Devices),
page 29-31
Understanding Devices Supported by Each Remote Access VPN
Technology
There are three types of remote access VPN: IKE version 1 (IKEv1) IPsec, IKE version 2 (IKEv2) IPsec,
and SSL. The devices on which you can configure these technologies differs, and broadly speaking, the
configuration for each type of VPN differs for ASA/PIX 7.0+ compared to IOS/PIX 6.3 devices.
The following table describes the basic device support. When you select a device, the device type will
determine which remote access policies are visible or configurable.