Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
29-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 29 Managing Remote Access VPNs: The Basics
Overview of Remote Access VPN Policies
Note You cannot configure SSL VPNs on PIX devices; PIX devices support remote access IKEv1 IPsec VPNs
only.
Policies used with remote access IKEv1 and IKEv2 IPsec and SSL VPNs:
ASA Cluster Load Balancing (ASA/PIX 7.0+)—In a remote client configuration in which you
are using two or more devices connected to the same network to handle remote sessions, you
can configure these devices to share their session load. This feature is called load balancing.
Load balancing directs session traffic to the least loaded device, thus distributing the load
among all devices. Load balancing is effective only on remote sessions initiated with an ASA
device. For more information, see Understanding Cluster Load Balancing (ASA), page 30-4.
Connection Profiles (ASA/PIX 7.0+)—A connection profile is a set of records that contain
VPN tunnel connection policies, including the attributes that pertain to creating the tunnel itself.
Connection profiles identify the group policies for a specific connection, which includes
user-oriented attributes. For more information, see Configuring Connection Profiles (ASA, PIX
7.0+), page 30-6.
Dynamic Access (ASA 8.0+)—Multiple variables can affect each VPN connection, for
example, intranet configurations that frequently change, the various roles that each user might
inhabit within an organization, and logins from remote access sites with different configurations
and levels of security. Dynamic access policies (DAP) let you configure authorization that
addresses these many variables. You create a dynamic access policy by setting a collection of
access control attributes that you associate with a specific user tunnel or session. For more
information, see Chapter 31, “Managing Dynamic Access Policies for Remote Access VPNs
(ASA 8.0+ Devices)”.
Global Settings—You can define global settings that apply to all devices in your remote access
VPNs. These settings include Internet Key Exchange (IKE), IKEv2, IPsec, NAT, and
fragmentation definitions. The global settings typically have defaults that work in most
situations, so configuring the Global Settings policy is optional in most cases; configure it only
if you need non-default behavior or if you are supporting IKEv2 negotiations. For more
information, see Configuring VPN Global Settings, page 25-29.
Group Policies (ASA/PIX 7.0+)—You can view the user group policies defined for your remote
access VPN connection profiles. From this page, you can specify new ASA user groups and edit
existing ones. When you create a connection profile, if you specify a group policy that has not
been used on the device, the group policy is automatically added to the Group Policies page;
you do not need to add it to this policy before you create the connection profile. For more
information, see Configuring Group Policies for Remote Access VPNs, page 30-21.
Public Key Infrastructure—You can create a Public Key Infrastructure (PKI) policy to
generate enrollment requests for CA certificates and RSA keys, and to manage keys and
certificates. Certification Authority (CA) servers are used to manage these certificate requests
and issue certificates to users who connect to your IPsec or SSL remote access VPN. For more
information, see Understanding Public Key Infrastructure Policies, page 25-47 and Configuring
Public Key Infrastructure Policies for Remote Access VPNs, page 25-52.
Policies used in remote access IPsec VPNs only:
Certificate To Connection Profile Maps, Policy and Rules (IKEv1 IPSec only, ASA/PIX 7.0+
only.)—Certificate to connection profile map policies let you define rules to match a user’s
certificate to a permission group based on specified fields. To establish authentication, you can
use any field of the certificate, or you can have all certificate users share a permission group.