CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8 Americas Headquarters Cisco Systems, Inc
Total Page:16
File Type:pdf, Size:1020Kb
CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2021 Cisco Systems, Inc. All rights reserved. CONTENTS PREFACE About This Guide xix Document Objectives xix Related Documentation xix Document Conventions xix Communications, Services, and Additional Information xxi PART I Site-to-Site and Client VPN 23 CHAPTER 1 IPsec and ISAKMP 1 About Tunneling, IPsec, and ISAKMP 1 IPsec Overview 2 ISAKMP and IKE Overview 2 Licensing for IPsec VPNs 3 Guidelines for IPsec VPNs 4 Configure ISAKMP 4 Configure IKEv1 and IKEv2 Policies 4 IKE Policy Keywords and Values 6 Enable IKE on the Outside Interface 9 Disable IKEv1 Aggressive Mode 10 Configure an ID Method for IKEv1 and IKEv2 ISAKMP Peers 10 INVALID_SELECTORS Notification 11 Configure IKEv2 Pre-shared Key in Hex 11 Enable or Disable Sending of IKE Notification 11 Configure IKEv2 Fragmentation Options 12 AAA Authentication With Authorization 13 Enable IPsec over NAT-T 13 CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8 iii Contents Enable IPsec with IKEv1 over TCP 15 Configure Certificate Group Matching for IKEv1 16 Configure IPsec 18 Define Crypto Maps 18 Example of LAN-to-LAN Crypto Maps 21 Set Public Key Infrastructure (PKI) Keys 26 Apply Crypto Maps to Interfaces 27 Use Interface ACLs 27 Change IPsec SA Lifetimes 29 Change VPN Routing 30 Create Static Crypto Maps 30 Create Dynamic Crypto Maps 35 Provide Site-to-Site Redundancy 38 Managing IPsec VPNs 38 Viewing an IPsec Configuration 38 Wait for Active Sessions to Terminate Before Rebooting 39 Alert Peers Before Disconnecting 39 Clear Security Associations 39 Clear Crypto Map Configurations 40 CHAPTER 2 L2TP over IPsec 41 About L2TP over IPsec/IKEv1 VPN 41 IPsec Transport and Tunnel Modes 42 Licensing Requirements for L2TP over IPsec 43 Prerequisites for Configuring L2TP over IPsec 43 Guidelines and Limitations 43 Configuring L2TP over Eclipse with CLI 45 Creating IKE Policies to Respond to Windows 7 Proposals 48 Configuration Example for L2TP over IPsec 49 Feature History for L2TP over IPsec 50 CHAPTER 3 High Availability Options 51 High Availability Options 51 VPN Load Balancing 51 CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8 iv Contents Failover 51 VPN Load Balancing 52 About VPN Load Balancing 52 VPN Load-Balancing Algorithm 52 VPN Load-Balancing Group Configurations 53 Frequently Asked Questions About VPN Load Balancing 53 Licensing for VPN Load Balancing 54 Prerequisites for VPN Load Balancing 55 Guidelines and Limitations for VPN Load Balancing 55 Configuring VPN Load Balancing 57 Configure the Public and Private Interfaces for VPN Load Balancing 57 Configure the VPN Load Balancing Group Attributes 58 Configuration Examples for VPN Load Balancing 60 Viewing VPN Load Balancing Information 61 CHAPTER 4 General VPN Parameters 63 Guidelines and Limitations 63 Configure IPsec to Bypass ACLs 64 Permitting Intra-Interface Traffic (Hairpinning) 64 NAT Considerations for Intra-Interface Traffic 65 Setting Maximum Active IPsec or SSL VPN Sessions 66 Use Client Update to Ensure Acceptable IPsec Client Revision Levels 66 Implement NAT-Assigned IP to Public IP Connection 68 Displaying VPN NAT Policies 69 Configure VPN Session Limits 70 Show License Resource Allocation 70 Show License Resource Usage 71 Limit VPN Sessions 71 Using an Identify Certificate When Negotiating 71 Configure the Pool of Cryptographic Cores 72 Configure Dynamic Split Tunneling 72 Viewing Active VPN Sessions 73 Viewing Active AnyConnect Sessions by IP Address Type 73 Viewing Active Clientless SSL VPN Sessions by IP Address Type 74 CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8 v Contents Viewing Active LAN to LAN VPN Sessions by IP Address Type 75 About ISE Policy Enforcement 75 Configure RADIUS Server Groups for ISE Policy Enforcement 76 Example Configurations for ISE Policy Enforcement 79 Troubleshooting Policy Enforcement 79 Configure Advanced SSL Settings 80 Persistent IPsec Tunneled Flows 84 Configure Persistent IPsec Tunneled Flows Using CLI 85 Troubleshooting Persistent IPsec Tunneled Flows 86 Is the Persistent IPsec Tunneled Flows Feature Enabled? 86 Locating Orphaned Flows 87 CHAPTER 5 Connection Profiles, Group Policies, and Users 89 Overview of Connection Profiles, Group Policies, and Users 89 Connection Profiles 90 General Connection Profile Connection Parameters 91 IPsec Tunnel-Group Connection Parameters 92 Connection Profile Connection Parameters for SSL VPN Sessions 93 Configure Connection Profiles 94 Maximum Connection Profiles 95 Default IPsec Remote Access Connection Profile Configuration 95 IPsec Tunnel-Group General Attributes 96 Configure Remote-Access Connection Profiles 96 Specify a Name and Type for the Remote Access Connection Profile 97 Configure Remote-Access Connection Profile General Attributes 97 Configure Double Authentication 101 Configure Remote-Access Connection Profile IPsec IKEv1 Attributes 103 Configure IPsec Remote-Access Connection Profile PPP Attributes 105 Configure LAN-to-LAN Connection Profiles 107 Default LAN-to-LAN Connection Profile Configuration 107 Specify a Name and Type for a LAN-to-LAN Connection Profile 107 Configure LAN-to-LAN Connection Profile General Attributes 108 Configure LAN-to-LAN IPsec IKEv1 Attributes 108 Configure Connection Profiles for Clientless SSL VPN Sessions 111 CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.8 vi Contents Configure General Tunnel-Group Attributes for Clientless SSL VPN Sessions 111 Configure Tunnel-Group Attributes for Clientless SSL VPN Sessions 114 Customize Login Windows for Users of Clientless SSL VPN Sessions 119 About Tunnel Groups for Standards-based IKEv2 Clients 120 Standards-based IKEv2 Attribute Support 121 DAP Support 121 Tunnel Group Selection for Remote Access Clients 121 Authentication Support for Standards-based IKEv2 Clients 122 Add Multiple Certificate Authentication 123 Configure the query-identity Option for Retrieval of EAP Identity 124 Configure Microsoft Active Directory Settings for Password Management 126 Use Active Directory to Force the User to Change Password at Next Logon 126 Use Active Directory to Specify Maximum Password Age 126 Use Active Directory to Enforce Minimum Password Length 127 Use Active Directory to Enforce Password Complexity 127 Configure the Connection Profile for RADIUS/SDI Message Support for the AnyConnect Client 128 Configure the Security Appliance to Support RADIUS/SDI Messages 128 Group Policies 130 Modify the Default Group Policy 130 Configure Group Policies 133 Configure an External Group Policy 133 Create an Internal Group Policy 134 Configure General Internal Group Policy Attributes