Comparing Tunneling Options - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 34
Configuring Easy VPN Services on the ASA 5505
This command clears the Don't Fragment (DF) bit from the encapsulated header. A DF bit is a bit within
the IP header that determines whether the packet can be fragmented. This command lets the Easy VPN
hardware client send packets that are larger than the MTU size.
The following example shows how to configure the Easy VPN hardware client to use TCP-encapsulated
IPSec, using the default port 10000, and to let it send large packets over the outside interface:
hostname(config)# vpnclient ipsec-over-tcp
hostname(config)# crypto ipsec df-bit clear-df outside
hostname(config)#
The next example shows how to configure the Easy VPN hardware client to use TCP-encapsulated
IPSec, using the port 10501, and to let it send large packets over the outside interface:
hostname(config)# vpnclient ipsec-over-tcp port 10501
hostname(config)# crypto ipsec df-bit clear-df outside
hostname(config)#
To remove the attribute from the running configuration, use the no form of this command, as follows:
For example:
hostname(config)# no vpnclient ipsec-over-tcp
hostname(config)#
Comparing Tunneling Options
The tunnel types the Cisco ASA 5505 configured as an Easy VPN hardware client sets up depends on a
combination of the following factors:
•
•
Caution
•
OL-12172-03
no vpnclient ipsec-over-tcp
Use of the split-tunnel-network-list and the split-tunnel-policy commands on the headend to
permit, restrict, or prohibit split tunneling. (See the
page 30-45
and
"Setting the Split-Tunneling Policy" section on page
Split tunneling determines the networks for which the remote-access client encrypts and sends data
through the secured VPN tunnel, and determines which traffic it sends to the Internet in the clear.
Use of the
vpnclient management
initiation options:
tunnel to limit administrative access to the client side by specific hosts or networks on the
–
corporate side and use IPSec to add a layer of encryption to the management sessions over the
HTTPS or SSH encryption that is already present.
clear to permit administrative access using the HTTPS or SSH encryption used by the
–
management session.
no to prohibit management access
–
Cisco does not support the use of the vpnclient management command if a NAT device is
present between the client and the Internet.
Use of the
vpnclient mode
–
client to use Port Address Translation (PAT) mode to isolate the addresses of the inside hosts,
relative to the client, from the enterprise network.
Creating a Network List for Split-Tunneling,
command to specify one of the following automatic tunnel
command to specify one of the following modes of operation:
Cisco Security Appliance Command Line Configuration Guide
Comparing Tunneling Options
30-45, respectively.)
34-5
Advertisement
Table of Contents
Troubleshooting
