Home » Cisco Manuals » Networking » Cisco 5510 » Manual Viewer

Cisco 5510 Getting Started Guide - Page 121

Enable Split Tunneling, Enable Perfect, Forwarding Secrecy, Step 2

UPC - 882658094767

Add to My Manuals
Save this manual to your list of manuals

Page 121 highlights

Chapter 9 Scenario: IPsec Remote-Access VPN Configuration Implementing the IPsec Remote-Access VPN Scenario Step 2 Step 3 To enable split tunneling, check the Enable Split Tunneling check box. Split tunneling allows traffic outside the configured networks to be sent out directly to the Internet instead of over the encrypted VPN tunnel. To enable perfect forwarding secrecy (PFS), check the Enable Perfect Forwarding Secrecy check box. Enabling PFS sets the size of the numbers to use in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys. PFS ensures that a session key derived from a set of long-term public and private keys is not compromised if one of the private keys is compromised in the future. Note PFS must be enabled on both sides of the connection. Step 4 Step 5 Select the Diffie-Hellman group identifier, which the two IPsec peers use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit). Group 7 is for use with the Movian VPN client, but works with any peer that supports Group 7 (ECC). Click Next to continue. 78-19186-01 Cisco ASA 5500 Series Getting Started Guide 9-15

Section	Page
Contents	3
Before You Begin	11
ASA 5500	11
ASA 5500 with AIP SSM	12
ASA 5500 with CSC SSM	13
ASA 5500 with 4GE SSM	14
ASA 5550	15
Related Documents	15
Maximizing Throughput on the ASA 5550	17
Embedded Network Interfaces	17
Balancing Traffic to Maximize Throughput	18
What to Do Next	21
Installing the ASA 5550	23
Verifying the Package Contents	24
Installing the Chassis	25
Rack-Mounting the Chassis	26
Installing SFP Modules	28
SFP Module	28
Installing an SFP Module	30
Ports and LEDs	31
Front Panel LEDs	31
Rear Panel LEDs and Ports in Slot 0	32
Ports and LEDs in Slot 1	34
Connecting Interface Cables	35
What to Do Next	41
Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540	43
Verifying the Package Contents	44
Installing the Chassis	45
Rack-Mounting the Chassis	46
Ports and LEDs	49
What to Do Next	52
Installing Optional SSMs	53
Cisco 4GE SSM	53
4GE SSM Components	54
Installing the Cisco 4GE SSM	55
Installing the SFP Modules	56
SFP Module	57
Installing the SFP Module	58
Cisco AIP SSM and CSC SSM	60
Installing an SSM	61
What to Do Next	62
Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms	63
Connecting Interface Cables	64
Connecting to SSMs	66
Connecting to a 4GE SSM	68
Powering On the Adaptive Security Appliance	71
What to Do Next	71
Configuring the Adaptive Security Appliance	73
About the Factory Default Configuration	73
Using the CLI for Configuration	74
Using the Adaptive Security Device Manager for Configuration	75
Preparing to Use ASDM	76
Gathering Configuration Information for Initial Setup	76
Installing the ASDM Launcher	77
Starting ASDM with a Web Browser	80
Running the ASDM Startup Wizard	80
What to Do Next	81
Scenario: DMZ Configuration	83
Example DMZ Network Topology	83
An Inside User Visits a Web Server on the Internet	85
An Internet User Visits the DMZ Web Server	86
An Inside User Visits the DMZ Web Server	88
Configuring the Adaptive Security Appliance for a DMZ Deployment	90
Configuration Requirements	91
Information to Have Available	92
Enabling Inside Clients to Communicate with Devices on the Internet	92
Enabling Inside Clients to Communicate with the DMZ Web Server	92
Translating Internal Client IP Addresses Between the Inside and DMZ Interfaces	93
Translating the Public Address of the Web Server to its Real Address on the Inside Interface	96
Configuring Static PAT for Public Access to the DMZ Web Server (Port Forwarding)	99
Providing Public HTTP Access to the DMZ Web Server	102
What to Do Next	105
Scenario: IPsec Remote-Access VPN Configuration	107
Example IPsec Remote-Access VPN Network Topology	107
Implementing the IPsec Remote-Access VPN Scenario	108
Information to Have Available	109
Configuring an IPsec Remote-Access VPN	109
Selecting VPN Client Types	111
Specifying the VPN Tunnel Group Name and Authentication Method	112
Specifying a User Authentication Method	113
(Optional) Configuring User Accounts	115
Configuring Address Pools	116
Configuring Client Attributes	117
Configuring the IKE Policy	118
Specifying Address Translation Exception and Split Tunneling	120
Verifying the Remote-Access VPN Configuration	122
What to Do Next	123
Scenario: Configuring Connections for a Cisco AnyConnect VPN Client	125
About SSL VPN Client Connections	125
Obtaining the Cisco AnyConnect VPN Client Software	126
Example Topology Using AnyConnect SSL VPN Clients	127
Implementing the Cisco SSL VPN Scenario	127
Information to Have Available	128
Configuring the Adaptive Security Appliance for the Cisco AnyConnect VPN Client	129
Specifying the SSL VPN Interface	130
Specifying a User Authentication Method	131
Specifying a Group Policy	132
Configuring the Cisco AnyConnect VPN Client	133
Verifying the Remote-Access VPN Configuration	135
What to Do Next	136
Scenario: SSL VPN Clientless Connections	137
About Clientless SSL VPN	137
Security Considerations for Clientless SSL VPN Connections	138
Example Network with Browser-Based SSL VPN Access	139
Implementing the Clientless SSL VPN Scenario	140
Information to Have Available	141
Configuring the Adaptive Security Appliance for Browser-Based SSL VPN Connections	142
Specifying the SSL VPN Interface	143
Specifying a User Authentication Method	144
Specifying a Group Policy	146
Creating a Bookmark List for Remote Users	147
Verifying the Configuration	151
What to Do Next	152
Scenario: Site-to-Site VPN Configuration	153
Example Site-to-Site VPN Network Topology	153
Implementing the Site-to-Site Scenario	154
Information to Have Available	155
Configuring the Site-to-Site VPN	155
Configuring the Security Appliance at the Local Site	155
Providing Information About the Remote VPN Peer	157
Configuring the IKE Policy	158
Configuring IPsec Encryption and Authentication Parameters	160
Specifying Hosts and Networks	161
Viewing VPN Attributes and Completing the Wizard	162
Configuring the Other Side of the VPN Connection	164
What to Do Next	165
Configuring the AIP SSM	167
Understanding the AIP SSM	168
How the AIP SSM Works with the Adaptive Security Appliance	168
Operating Modes	169
Using Virtual Sensors	170
Configuring the AIP SSM	172
AIP SSM Procedure Overview	172
Sessioning to the AIP SSM	172
Configuring the Security Policy on the AIP SSM	174
Assigning Virtual Sensors to Security Contexts	175
Diverting Traffic to the AIP SSM	177
What to Do Next	180
Configuring the CSC SSM	183
About the CSC SSM	183
About Deploying the Adaptive Security Appliance with the CSC SSM	184
Scenario: Security Appliance with CSC SSM Deployed for Content Security	186
Configuration Requirements	187
Configuring the CSC SSM for Content Security	188
Obtain Software Activation Key from Cisco.com	188
Gather Information	189
Verify Time Settings	189
Run the CSC Setup Wizard	190
What to Do Next	199
Configuring the 4GE SSM for Fiber	201
Cabling 4GE SSM Interfaces	202
Setting the 4GE SSM Media Type for Fiber Interfaces (Optional)	203
What to Do Next	205