Configuring Ipsec-Udp Attributes; Configuring Split-Tunneling Attributes - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Group Policies
hostname(config-group-policy)# banner value Welcome to Cisco Systems 7.0.
Configuring IPSec-UDP Attributes
IPSec over UDP, sometimes called IPSec through NAT, lets a Cisco VPN client or hardware client
connect via UDP to a security appliance that is running NAT. It is disabled by default. IPSec over UDP
is proprietary; it applies only to remote-access connections, and it requires mode configuration. The
security appliance exchanges configuration parameters with the client while negotiating SAs. Using
IPSec over UDP may slightly degrade system performance.
To enable IPSec over UDP, configure the ipsec-udp command with the enable keyword in group-policy
configuration mode, as follows:
hostname(config-group-policy)# ipsec-udp {enable | disable}
hostname(config-group-policy)# no ipsec-udp
To use IPSec over UDP, you must also configure the ipsec-udp-port command, as described below.
To disable IPSec over UDP, enter the disable keyword. To remove the IPSec over UDP attribute from
the running configuration, enter the no form of this command. This enables inheritance of a value for
IPSec over UDP from another group policy.
The Cisco VPN client must also be configured to use IPSec over UDP (it is configured to use it by
default). The VPN 3002 requires no configuration to use IPSec over UDP.
The following example shows how to set IPSec over UDP for the group policy named FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# ipsec-udp enable
If you enabled IPSec over UDP, you must also configure the ipsec-udp-port command in group-policy
configuration mode. This command sets a UDP port number for IPSec over UDP. In IPSec negotiations,
the security appliance listens on the configured port and forwards UDP traffic for that port even if other
filter rules drop UDP traffic. The port numbers can range from 4001 through 49151. The default port
value is 10000.
To disable the UDP port, enter the no form of this command. This enables inheritance of a value for the
IPSec over UDP port from another group policy.
hostname(config-group-policy)# ipsec-udp-port port
The following example shows how to set an IPSec UDP port to port 4025 for the group policy named
FirstGroup:
hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# ipsec-udp-port 4025
Configuring Split-Tunneling Attributes
Split tunneling lets a remote-access IPSec client conditionally direct packets over an IPSec tunnel in
encrypted form or to a network interface in clear text form. With split tunneling enabled, packets not
bound for destinations on the other side of the IPSec tunnel do not have to be encrypted, sent across the
tunnel, decrypted, and then routed to a final destination. This command applies this split tunneling policy
to a specific network.
Cisco Security Appliance Command Line Configuration Guide
30-44
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
