Cisco ASA 5505 Configuration Manual page 1278

VPN Wizard
•
•
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Summary
The Summary pane displays all of the attributes of this VPN LAN-to-LAN connection as configured.
Fields
Back—To make changes, click Back until you reach the appropriate pane.
Finish—When you are satisfied with the configuration, click Finish. ASDM saves the LAN-to-LAN
configuration. After you click Finish, you can no longer use the VPN wizard to make changes to this
configuration. Use ASDM to edit and configure advanced features.
Cancel—To remove the configuration, click Cancel.
Modes
The following table shows the modes in which this feature is available:
Cisco ASA 5500 Series Configuration Guide using ASDM
62-14
IP address—Select the IP address of the host or network. Either type the IP address or click the
–
adjacent ... button to view a diagram of the network and select a host or network.
Add—Click to add the host or network the Selected Hosts/Networks list after you have completed
the applicable fields.
Selected Hosts/Networks—Displays the hosts and networks that are exempt from NAT. If you want
all hosts and networks to be exempt from NAT, leave this list empty.
Enable split tunneling—Select to have traffic from remote access clients destined for the public
Internet sent unencrypted. Split tunneling causes traffic for protected networks to be encrypted,
while traffic to unprotected networks is unencrypted. When you enable split tunneling, the adaptive
security appliance pushes a list of IP addresses to the remote VPN client after authentication. The
remote VPN client encrypts traffic to the IP addresses that are behind the adaptive security
appliance. All other traffic travels unencrypted directly to the Internet without involving the adaptive
security appliance.
Enable Perfect Forwarding Secrecy (PFS)—Specify whether to use Perfect Forward Secrecy, and the
size of the numbers to use, in generating Phase 2 IPsec keys. PFS is a cryptographic concept where each
new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys
unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys.
PFS ensures that a session key derived from a set of long-term public and private keys is not
compromised if one of the private keys is compromised in the future.
PFS must be enabled on both sides of the connection.
Diffie-Hellman Group—Select the Diffie-Hellman group identifier, which the two IPsec peers
–
use to derive a shared secret without transmitting it to each other. The default, Group 2 (1024-bit
Diffie-Hellman), requires less CPU time to execute but is less secure than Group 5 (1536-bit).
Security Context
Transparent Single
— •
Multiple
Context System
— —
Chapter 62 VPN
OL-20339-01