Filter
Top Products
33-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 33 Configuring Policy Objects for Remote Access VPNs
ASA Group Policies Dialog Box
Field Reference
Table 33-5 ASA Group Policies IPSec Settings
Element Description
Enable Re-Authentication on
IKE Re-Key
Whether the security appliance should prompt the user to enter a
username and password during initial Phase 1 IKE negotiation and also
prompt for user authentication whenever an IKE rekey occurs,
providing additional security. Reauthentication fails if no user is at the
other end of the connection.
Enable IPsec Compression Whether to enable data compression, which speeds up transmission
rates for remote dial-in users connecting with modems.
Caution Data compression increases the memory requirement and
CPU usage for each user session and consequently decreases
the overall throughput of the security appliance. For this
reason, it is recommended that you enable data compression
only for remote users connecting with a modem. Design a
group policy specific to modem users and enable
compression only for them.
Enable Perfect Forward
Secrecy (PFS)
Whether to enable the use of Perfect Forward Secrecy (PFS) to generate
and use a unique session key for each encrypted exchange. In IPsec
negotiations, PFS ensures that each new cryptographic key is unrelated
to any previous key.
Tunnel Group Lock Tunnel group lock restricts users by checking if the group configured
in the VPN client is the same as the tunnel group to which the user is
assigned. If it is not, the security appliance prevents the user from
connecting.
If you do not specify a tunnel name, the security appliance
authenticates users without regard to the assigned group. Group locking
is disabled by default.
Client Access Rules table The access rules for clients. These rules control which types of clients
are denied access, if any. You can have up to 25 rules, and combined
they are limited to 255 characters.
Tip If you define any rule, an implicit deny all rule is added. Thus,
if a client matches no permit rule, the client is denied access. If
you create rules, ensure that you have permit rules for all
allowed clients. You can use * as a wildcard to match partial
strings.
The rule with the lowest integer has the highest priority. Therefore, the
rule with the lowest integer that matches a client type or version is the
rule that applies. If a lower priority rule contradicts, the security
appliance ignores it.
• To add a rule, click the Add Row button to open the Add or Edit
Client Access Rules Dialog Box, page 33-10.
• To edit a rule, select it and click the Edit Row button.
• To delete a rule, select it and click the Delete button.