Cisco ASA 5505 Configuration Manual page 1414

Easy VPN Remote
•
•
•
•
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Easy VPN Remote
Easy VPN Remote lets the ASA 5505 act as an Easy VPN client device. The ASA 5505 can then initiate
a VPN tunnel to an Easy VPN server, which can be a adaptive security appliance, a Cisco VPN 3000
Concentrator, an IOS-based router, or a firewall acting as an Easy VPN server.
The Easy VPN client supports one of two modes of operation: Client Mode or Network Extension Mode
(NEM). The mode of operation determines whether the Easy VPN Client inside hosts are accessible from
the Enterprise network over the tunnel. Specifying a mode of operation is mandatory before making a
connection because Easy VPN Client does not have a default mode.
Client mode, also called Port Address Translation (PAT) mode, isolates all devices on the Easy VPN
Client private network from those on the enterprise network. The Easy VPN Client performs Port
Address Translation (PAT) for all VPN traffic for its inside hosts. IP address management is neither
required for the Easy VPN Client inside interface or the inside hosts.
NEM makes the inside interface and all inside hosts routable across the enterprise network over the
tunnel. Hosts on the inside network obtain their IP addresses from an accessible subnet (statically or via
DHCP) pre-configured with static IP addresses. PAT does not apply to VPN traffic in NEM. This mode
does not require a VPN configuration for each client. The Cisco ASA 5505 configured for NEM mode
supports automatic tunnel initiation. The configuration must store the group name, user name, and
password. Automatic tunnel initiation is disabled if secure unit authentication is enabled.
The network and addresses on the private side of the Easy VPN Client are hidden, and cannot be accessed
directly.
Cisco ASA 5500 Series Configuration Guide using ASDM
64-104
Fail Timeout—Type the number of seconds that the adaptive security appliance should wait before
it declares the active Integrity Server to be unreachable. The default is 10 and the range is from 5 to
20.
SSL Certificate Port: Specify the adaptive security appliance port to be used for SSL Authorization.
The default is port 80.
Enable SSL Authentication—Check to enable authentication of the remote client SSL certificate by
the adaptive security appliance. By default, client SSL authentication is disabled.
Close connection on timeout—Check to close the connection between the adaptive security
appliance and the Integrity Server on a timeout. By default, the connection remains open.
Apply—Click to apply the Integrity Server setting to the adaptive security appliance running
configuration.
Reset—Click to remove Integrity Server configuration changes that have not yet been applied.
Security Context
Transparent Single
—
•
Multiple
Context System
— —
Chapter 64 General VPN Setup
OL-20339-01